Service Accounts

Introduction

When a backend service (client) does not need to act on behalf of a user but for itself, it can use its service account for authentication.

It authenticates itself using the client credentials and obtains an access token (JWT) that contains the service information and roles.

The grant_type parameter needs to be set to "client_credentials"

Only the access token is returned by default. No refresh token is returned and no user session is created on the Keycloak side upon successful authentication by default. Due to the lack of a refresh token, re-authentication is required when the access token expires.

Prerequisites

The client needs to have its service account enabled and be assigned the desired service roles

For the example we assume the following client credentials

clientId        <a-client-id>
clientSecret    *****

NOTE
Client secret for the default client listed above can be found on PISTIS SharePoint

NOTE: For factory deployments see: Factory Registry → Keycloak Clients.

Authenticate using a service account

We can obtain the access_token of the service via the following request:

curl --location 'https://auth.pistis-market.eu/realms/PISTIS/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=a-client-id' \
--data-urlencode 'client_secret=*****'

A sample response of the above request will be:

{
  "access_token": "eyJhbGciOiJSUzI1Ni....",
  "expires_in": 7200,
  "token_type": "Bearer",
}

Decode token

Online via JWT.io

The received access_token is a signed JWT and can be decoded, for example using jwt.io

The decoded JWT will have the following payload:

{
          "exp": 1722427989,
          "iat": 1722420789,
          "jti": "19b582b8-28c5-4a7e-ae0b-0500e11c6bd4",
          "iss": "https://auth.pistis-market.eu/realms/PISTIS",
          "aud": "account",
          "sub": "d952cf23-bf92-4c8f-a3ff-4972b4f2bc5b",
          "typ": "Bearer",
          "azp": "pistis-test-only",
          "acr": "1",
          "allowed-origins": [
                    "*"
          ],
          "realm_access": {
                    "roles": [
                              "offline_access",
                              "uma_authorization",
                              "default-roles-pistis",
                              "SRV_NOTIFICATION"
                    ]
          },
          "resource_access": {
                    "account": {
                              "roles": [
                                        "manage-account",
                                        "manage-account-links",
                                        "view-profile"
                              ]
                    }
          },
          "scope": "email profile pistis",
          "clientHost": "145.224.101.75",
          "clientId": "pistis-test-only",
          "email_verified": false,
          "pistis": {
                    "user": {
                              "role": [
                                        "offline_access",
                                        "uma_authorization",
                                        "default-roles-pistis",
                                        "SRV_NOTIFICATION"
                              ]
                    }
          },
          "preferred_username": "service-account-pistis-test-only",
          "clientAddress": "145.224.101.75",
          "group": []
}
Table of Contents