What are Keycloak s OAuth2 OpenID Connect endpoints

Question

We are trying to evaluate Keycloak as an SSO solution  and it looks good in many respects  but the documentation is painfully lacking in the basics   For a given Keycloak installation on http   localhost 8080  for realm test  what are the OAuth2 Authorization Endpoint  OAuth2 Token Endpoint and OpenID Connect UserInfo Endpoint    We are not interested in using Keycloak s own client library  we want to use standard OAuth2   OpenID Connect client libraries  as the client applications using the keycloak server will be written in a wide range of languages  PHP  Ruby  Node  Java  C   Angular   Therefore the examples that use the Keycloak client aren t of use for us

User · Answer

In version 1 9 0 json with all endpoints is at address  auth realms  realm    Authorization Endpoint   auth realms  realm  account Token Endpoint   auth realms  realm  protocol openid-connect

User · Answer

FQDN auth realms  realm name   well-known openid-configuration  you will see everything here  plus if the identity provider is also Keycloak then feeding this URL will setup everything also true with other identity providers if they support and they already handled it

User · Answer

Actually link to  well-know is on the first tab of your realm settings - but link doesn t look like link  but as value of text box    bad ui design  Screenshot of Realm s General Tab

User · Answer

You can also see this information by going into Admin Console -  Realm Settings -  Clicking the hyperlink on the Endpoints field

User · Answer

keycloak version  4 6 0   TokenUrl   domain  auth realms  REALM NAME  protocol openid-connect token AuthUrl   domain  auth realms  REALM NAME  protocol openid-connect auth

User · Answer

After much digging around we were able to scrape the info more or less  mainly from Keycloak s own JS client lib     Authorization Endpoint   auth realms  realm  tokens login Token Endpoint   auth realms  realm  tokens access codes   As for OpenID Connect UserInfo  right now  1 1 0 Final  Keycloak doesn t implement this endpoint  so it is not fully OpenID Connect compliant  However  there is already a patch that adds that as of this writing should be included in 1 2 x   But - Ironically Keycloak does send back an id token in together with the access token  Both the id token and the access token are signed JWTs  and the keys of the token are OpenID Connect s keys  i e    iss      realm    sub     5bf30443-0cf7-4d31-b204-efd11a432659   name    Amir Abiri   email          So while Keycloak 1 1 x is not fully OpenID Connect compliant  it does  speak  in OpenID Connect language

User · Answer

For Keycloak 1 2 the above information can be retrieved via the url     http   keycloakhost keycloakport auth realms  realm   well-known openid-configuration   For example  if the realm name is demo      http   keycloakhost keycloakport auth realms demo  well-known openid-configuration   An example output from above url          issuer    http   localhost 8080 auth realms demo        authorization endpoint    http   localhost 8080 auth realms demo protocol openid-connect auth        token endpoint    http   localhost 8080 auth realms demo protocol openid-connect token        userinfo endpoint    http   localhost 8080 auth realms demo protocol openid-connect userinfo        end session endpoint    http   localhost 8080 auth realms demo protocol openid-connect logout        jwks uri    http   localhost 8080 auth realms demo protocol openid-connect certs        grant types supported              authorization code            refresh token            password              response types supported              code              subject types supported              public              id token signing alg values supported              RS256              response modes supported              query            Found information at https   issues jboss org browse KEYCLOAK-571  Note  You might need to add your client to the Valid Redirect URI list

User · Answer

With version 1 9 3 Final  Keycloak has a number of OpenID endpoints available  These can be found at  auth realms  realm   well-known openid-configuration  Assuming your realm is named demo  that endpoint will produce a JSON response similar to this        issuer    http   localhost 8080 auth realms demo      authorization endpoint    http   localhost 8080 auth realms demo protocol openid-connect auth      token endpoint    http   localhost 8080 auth realms demo protocol openid-connect token      token introspection endpoint    http   localhost 8080 auth realms demo protocol openid-connect token introspect      userinfo endpoint    http   localhost 8080 auth realms demo protocol openid-connect userinfo      end session endpoint    http   localhost 8080 auth realms demo protocol openid-connect logout      jwks uri    http   localhost 8080 auth realms demo protocol openid-connect certs      grant types supported          authorization code        implicit        refresh token        password        client credentials          response types supported          code        none        id token        token        id token token        code id token        code token        code id token token          subject types supported          public          id token signing alg values supported          RS256          response modes supported          query        fragment        form post          registration endpoint    http   localhost 8080 auth realms demo clients-registrations openid-connect      As far as I have found  these endpoints implement the Oauth 2 0 spec

User · Answer

Following link Provides JSON document describing metadata about the Keycloak   auth realms  realm-name   well-known openid-configuration   Following information reported with Keycloak 6 0 1 for master realm          issuer   http   localhost 8080 auth realms master       authorization endpoint   http   localhost 8080 auth realms master protocol openid-connect auth       token endpoint   http   localhost 8080 auth realms master protocol openid-connect token       token introspection endpoint   http   localhost 8080 auth realms master protocol openid-connect token introspect       userinfo endpoint   http   localhost 8080 auth realms master protocol openid-connect userinfo       end session endpoint   http   localhost 8080 auth realms master protocol openid-connect logout       jwks uri   http   localhost 8080 auth realms master protocol openid-connect certs       check session iframe   http   localhost 8080 auth realms master protocol openid-connect login-status-iframe html       grant types supported             authorization code          implicit          refresh token          password          client credentials            response types supported             code          none          id token          token          id token token          code id token          code token          code id token token            subject types supported             public          pairwise            id token signing alg values supported             PS384          ES384          RS384          HS256          HS512          ES256          RS256          HS384          ES512          PS256          PS512          RS512            userinfo signing alg values supported             PS384          ES384          RS384          HS256          HS512          ES256          RS256          HS384          ES512          PS256          PS512          RS512          none            request object signing alg values supported             PS384          ES384          RS384          ES256          RS256          ES512          PS256          PS512          RS512          none            response modes supported             query          fragment          form post            registration endpoint   http   localhost 8080 auth realms master clients-registrations openid-connect       token endpoint auth methods supported             private key jwt          client secret basic          client secret post          client secret jwt            token endpoint auth signing alg values supported             RS256            claims supported             aud          sub          iss          auth time          name          given name          family name          preferred username          email            claim types supported             normal            claims parameter supported  false      scopes supported             openid          address          email          microprofile-jwt          offline access          phone          profile          roles          web-origins            request parameter supported  true      request uri parameter supported  true      code challenge methods supported             plain          S256            tls client certificate bound access tokens  true      introspection endpoint   http   localhost 8080 auth realms master protocol openid-connect token introspect

[keycloak] What are Keycloak's OAuth2 / OpenID Connect endpoints?

Examples related to keycloak