LoginSignup
1
2

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

@namikitakeo(岳夫 並木)

できるオーオース Client Credentials Grant編

Last updated at Posted at 2020-03-22

前回はAzure上のUbuntuにKeycloakをインストールしましたが、今回はClient Credentials Grantを体験してみます。
https://qiita.com/namikitakeo/items/f1bb0fa958cf87c80000

ふつうは一番よく使われる、そして一番むずかしいAuthorization Code Grantから説明するのですが、今回は一番かんたんなClient Credentials Grantから説明して行こうと思います。

まずはAdministration Consoleから管理ユーザー(admin)でKeycloakにログインします。つぎにClientsメニューをクリックして、admin-cliユーザーを選択します。Access Typeをpublicからconfidentialに変更し、Service Accounts EnabledをOFFからONに変更しSaveします。

さっそくClient Credentials Grantでaccess_tokenを取得します。なお当然ですがclient_idとclient_secretは環境ごとに異なります。

# curl -k -d "client_id=admin-cli&client_secret=e2322690-1d9c-427c-882c-cdbf19013410&grant_type=client_credentials" https://ubuntu18.japaneast.cloudapp.azure.com/auth/realms/master/protocol/openid-connect/token

{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJBZ1F6anNzTFRQemlIZlhWWFRTUmJGT3RqVHlkY25IOHN2OHJ0NHdnY2JrIn0.eyJqdGkiOiI3ZjRkMWE4YS01ZmVlLTQ2ZTMtYjg2OS04NTQzNjQ4MTFhNTIiLCJleHAiOjE1ODQ4NTk3MzUsIm5iZiI6MCwiaWF0IjoxNTg0ODU5Njc1LCJpc3MiOiJodHRwczovL3VidW50dTE4LmphcGFuZWFzdC5jbG91ZGFwcC5henVyZS5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiMGI5ZjlhNWYtZmRiZi00N2JhLWEyMGMtNWMzMjE3NTg3MmQ3IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiZDQ3YTI0YzgtMmE0YS00ZDg2LTk0ZjktYjAxNjdkYjM1MzA1IiwiYWNyIjoiMSIsInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsImNsaWVudElkIjoiYWRtaW4tY2xpIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJjbGllbnRIb3N0IjoiMTExLjIzOS4xNzUuNjIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtYWRtaW4tY2xpIiwiY2xpZW50QWRkcmVzcyI6IjExMS4yMzkuMTc1LjYyIn0.Ckg7IqiDrRL63SiyIS0EE3BZ2PT9OX2_XR704sFcwBde49FZx6cygo9wfG7FWe2wKqq3X4EH9UEkQ647pvrkb6ACT1EbVwej0Q_qhbu77W67w5DTOFJIFPIcRDDzFmlkx000vf6x7A1Ctdb_9VDF4HXqeV2GzbzoRN0j2bY6ABPFQolvzePlTahAzd80bfcjxMXNb4JCsPZck6pwcZql9m7Sc8gvouUxzKZv9grIMPZD-pjJOweqBrhBVfWttDHvBBwziKhwZhW-lCrfD7QwbCXw7Y8gE5xBtJ4DdEE-4ltPirWvbZVop2Yf-iaCVXX5ZcW8e-o6GqJazN4cjMNBig","expires_in":60,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI1OTRlZDU5NS02ZDcxLTQ3NjctYTliZC04NTAwZDJhNjhmZmQifQ.eyJqdGkiOiJiYzMyM2M5Ni00NDc5LTQzODktYTEwNC0zNmQ5ZjFmNDk4MWQiLCJleHAiOjE1ODQ4NjEwNDgsIm5iZiI6MCwiaWF0IjoxNTg0ODU5MjQ4LCJpc3MiOiJodHRwczovL3VidW50dTE4LmphcGFuZWFzdC5jbG91ZGFwcC5henVyZS5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoiaHR0cHM6Ly91YnVudHUxOC5qYXBhbmVhc3QuY2xvdWRhcHAuYXp1cmUuY29tL2F1dGgvcmVhbG1zL21hc3RlciIsInN1YiI6IjBiOWY5YTVmLWZkYmYtNDdiYS1hMjBjLTVjMzIxNzU4NzJkNyIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJhZG1pbi1jbGkiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiIyZjliYjUxMi0xZTI5LTRiZGYtYWNkNi0yZWZhYmI1M2MzNzYiLCJzY29wZSI6InByb2ZpbGUgZW1haWwifQ.rk91B9Ej-y9laY3LrppH0-FMf2937PIt0R7xD1llU6s","token_type":"bearer","not-before-policy":0,"session_state":"2f9bb512-1e29-4bdf-acd6-2efabb53c376","scope":"profile email"}

かんたんにaccess_tokenが取得出来たのでuserinfoを叩いてみます。

% curl -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJBZ1F6anNzTFRQemlIZlhWWFRTUmJGT3RqVHlkY25IOHN2OHJ0NHdnY2JrIn0.eyJqdGkiOiI3ZjRkMWE4YS01ZmVlLTQ2ZTMtYjg2OS04NTQzNjQ4MTFhNTIiLCJleHAiOjE1ODQ4NTk3MzUsIm5iZiI6MCwiaWF0IjoxNTg0ODU5Njc1LCJpc3MiOiJodHRwczovL3VidW50dTE4LmphcGFuZWFzdC5jbG91ZGFwcC5henVyZS5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiMGI5ZjlhNWYtZmRiZi00N2JhLWEyMGMtNWMzMjE3NTg3MmQ3IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiZDQ3YTI0YzgtMmE0YS00ZDg2LTk0ZjktYjAxNjdkYjM1MzA1IiwiYWNyIjoiMSIsInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsImNsaWVudElkIjoiYWRtaW4tY2xpIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJjbGllbnRIb3N0IjoiMTExLjIzOS4xNzUuNjIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtYWRtaW4tY2xpIiwiY2xpZW50QWRkcmVzcyI6IjExMS4yMzkuMTc1LjYyIn0.Ckg7IqiDrRL63SiyIS0EE3BZ2PT9OX2_XR704sFcwBde49FZx6cygo9wfG7FWe2wKqq3X4EH9UEkQ647pvrkb6ACT1EbVwej0Q_qhbu77W67w5DTOFJIFPIcRDDzFmlkx000vf6x7A1Ctdb_9VDF4HXqeV2GzbzoRN0j2bY6ABPFQolvzePlTahAzd80bfcjxMXNb4JCsPZck6pwcZql9m7Sc8gvouUxzKZv9grIMPZD-pjJOweqBrhBVfWttDHvBBwziKhwZhW-lCrfD7QwbCXw7Y8gE5xBtJ4DdEE-4ltPirWvbZVop2Yf-iaCVXX5ZcW8e-o6GqJazN4cjMNBig' https://ubuntu18.japaneast.cloudapp.azure.com/auth/realms/master/protocol/openid-connect/userinfo

{"sub":"0b9f9a5f-fdbf-47ba-a20c-5c32175872d7","email_verified":false,"preferred_username":"service-account-admin-cli"}

今回は登録されているConfidentialなClientのclient_id/client_secretを使って、オーオースのClient Credentials Grantでaccess_tokenを取得し、UserinfoエンドポイントのWEB APIを実行しました。ここまででオーオースについて、すこし理解出来たのではないでしょうか。

#次回
できるオーオース Resource Owner Password Credentials Grant編
https://qiita.com/namikitakeo/items/ea23adbc0b5c941ff0ed

1
2
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
2

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?