OAuth 2.0 Security Best Current Practice recommends that we do not use grant type Resource Owner Password Credentials of OAuth2 but if your application needs to use this grant type, please read this tutorial! I will guide you on how to create and configure the client to support Resource Owner Password Credentials grant type of OAuth2 and how to get access token with this grant type.
Suppose I create a new client in Keycloak with the name huongdanjava_resource_owner_password_credentials as follows:
By default, as I said in the previous post, this client will support the Authorization Code and Resource Owner Password Credentials grant type of OAuth2, so you will see the Standard flow and Direct access grants fields selected. We will disable the Standard flow grant type and then click the Save button:
Suppose I have a user is declared in Keycloak as follows:
To get an access token for this client, we will use a RESTful API of Keycloak with the POST method as follows:
1 |
http://${host}:${post}/realms/${realm}/protocol/openid-connect/token |
with host, port is the information of the Keycloak server, realm is the realm that this client belongs to.
In the body of this request, you need to pass more information including client_id, username, password, and grant_type=password.
In my example, I will request the following URL:
1 |
http://localhost:8080/realms/huongdanjava/protocol/openid-connect/token |
In the body, the client_id will be huongdanjava_resource_owner_password_credentials, the username is huongdanjava, the password of the huongdanjava user, and grant_type=password.
Detailed requests using Postman will be as follows:
The result will look like this: