Refresh access_token via refresh_token in Keycloak

We Are Going To Discuss About Refresh access_token via refresh_token in Keycloak. So lets Start this Java Article.

Refresh access_token via refresh_token in Keycloak

Advertisements
  1. Refresh access_token via refresh_token in Keycloak

    keycloak has REST API for creating an access_token using refresh_token. It is a POST endpoint with application/x-www-form-urlencoded
    Here is how it looks:
    Method: POST

  2. Refresh access_token via refresh_token in Keycloak

    keycloak has REST API for creating an access_token using refresh_token. It is a POST endpoint with application/x-www-form-urlencoded
    Here is how it looks:
    Method: POST

Solution 1

Advertisements

keycloak has REST API for creating an access_token using refresh_token. It is a POST endpoint with application/x-www-form-urlencoded

Here is how it looks:

Method: POST
URL: https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/token
Body type: x-www-form-urlencoded
Form fields:    
client_id : <my-client-name>
grant_type : refresh_token
refresh_token: <my-refresh-token>

This will give you new access token using refresh token.

NOTE: if your refresh token is expired it will throw 400 exception in that you can make user login again.

Check out a sample in Postman, you can develop and corresponding API using this.

Sample in Postman

Original Author Yogendra Mishra Of This Content

Solution 2

Advertisements

@maslick is correct you have to supply the client secret too, no need for authorization header in this case:

http://localhost:8080/auth/realms/{realm}/protocol/openid-connect/token

enter image description here

In case of expired refresh token it returns:

enter image description here

If you don’t add the secret you get 401 unauthorized even though the refresh token is correct

enter image description here

Original Author Khalifa Of This Content

Solution 3

Advertisements

I tried with 4.8.2.Final, it gives following unauthorized_client even with previous access token as ‘Bearer’.
Then I tried with Basic YXBwLXByb3h5OnNlY3JldA== in Authorization header.
Then it worked, But still I’m not sure that I am doing right thing.

Original Author Sampath Nawgala Of This Content

Solution 4

Advertisements

Extending Yogendra Mishra’s answer. Note that
client_id and client_secret can also be sent in Authorization header.

Authorization: Basic ${Base64(<client_id>:<client_secret>)}

This works for both initial token call (without refresh token) and refresh token call to /openid-connect/token endpoint

Basic auth1

don't need to send clientid and secret in body after setting auth headers

Reference:
https://developer.okta.com/docs/reference/api/oidc/#client-secret

Original Author Abdul Rauf Of This Content

Conclusion

So This is all About This Tutorial. Hope This Tutorial Helped You. Thank You.

Also Read,

Siddharth

I am an Information Technology Engineer. I have Completed my MCA And I have 4 Year Plus Experience, I am a web developer with knowledge of multiple back-end platforms Like PHP, Node.js, Python and frontend JavaScript frameworks Like Angular, React, and Vue.

Leave a Comment