Refresh access_token via refresh_token in Keycloak

Question

I need to make the user keep login in the system if the user's access_token get expired and user want to keep login. How can I get newly updated access_token with the use of refresh_token on Keycloak?

I am using vertx-auth for the auth implementation with Keycloak on vert.x. Is it possible to refresh access_token with vertx-auth or Keycloak's REST API itself? Or what will be another implementation of this?

azro · Accepted Answer · 2019-12-01 21:11:49Z

176

keycloak has REST API for creating an access_token using refresh_token. It is a POST endpoint with application/x-www-form-urlencoded

Here is how it looks:

Method: POST
URL: https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/token
Body type: x-www-form-urlencoded
Form fields:    
client_id : <my-client-name>
grant_type : refresh_token
refresh_token: <my-refresh-token>

This will give you new access token using refresh token.

NOTE: if your refresh token is expired it will throw 400 exception in that you can make user login again.

Check out a sample in Postman, you can develop and corresponding API using this.

edited Dec 1, 2019 at 21:11

azro

54.2k9 gold badges38 silver badges75 bronze badges

answered Jul 17, 2018 at 17:40

Yogendra Mishra

2,6392 gold badges17 silver badges21 bronze badges

Sign up to request clarification or add additional context in comments.

12 Comments

rrrocky Over a year ago

I tried this with 2.5.4 and it still requires the client secret for this request. It makes now sense though as to why the client secret will be required if the refresh token is being provided.

rrrocky Over a year ago

The client secret is required only if it is a confidential client. Public clients do not require the client secret.

Kimble Over a year ago

Can someone explain why the client secret is required when refreshing a token for a confidential client?

Panup Pong Over a year ago

@all ,Why refresh token is jwt format? stateless but google and auth0 use stateful.

asd123ea Over a year ago

@Kimble confidential client in Keycloak is meant to server applications, where storing a client secret is secure. Take a look on the docs (here)[keycloak.org/docs/6.0/server_admin/#oidc-clients]

|

Khalifa · Accepted Answer · 2021-07-03 11:56:16Z

14

@maslick is correct you have to supply the client secret too, no need for authorization header in this case:

http://localhost:8080/auth/realms/{realm}/protocol/openid-connect/token

In case of expired refresh token it returns:

If you don't add the secret you get 401 unauthorized even though the refresh token is correct

answered Jul 3, 2021 at 11:56

Khalifa

1851 silver badge5 bronze badges

1 Comment

Matteo Over a year ago

I have just tested it, you only need the client secret if the client that issued the token is confidential

Abdul Rauf · Accepted Answer · 2022-02-10 13:39:33Z

3

Extending Yogendra Mishra's answer. Note that client_id and client_secret can also be sent in Authorization header.

Authorization: Basic ${Base64(<client_id>:<client_secret>)}

This works for both initial token call (without refresh token) and refresh token call to /openid-connect/token endpoint

Basic auth1

Reference: https://developer.okta.com/docs/reference/api/oidc/#client-secret

answered Feb 10, 2022 at 13:39

Abdul Rauf

6,2706 gold badges56 silver badges76 bronze badges

Comments

Richard RJUK · Accepted Answer · 2024-07-24 20:04:13Z

3

July 2024

I used this dockerized version: quay.io/keycloak/keycloak:25.0.2

On the latest version, the url for refreshinf a token has changed a little

{{host}}/realms/master/protocol/openid-connect/token

example of host is http://localhost:8080

answered Jul 24, 2024 at 20:04

Richard RJUK

5615 silver badges11 bronze badges

1 Comment

Thomas Ward Jan 29 at 18:07

So, it's the same as the authorization_code token endpoint, the only difference is the grant_type that's used, correct? refresh_token instead of authorization_code? Just to confirm this.

Sampath Nawgala · Accepted Answer · 2019-01-28 05:38:56Z

1

I tried with 4.8.2.Final, it gives following unauthorized_client even with previous access token as 'Bearer'. Then I tried with Basic YXBwLXByb3h5OnNlY3JldA== in Authorization header. Then it worked, But still I'm not sure that I am doing right thing.

answered Jan 28, 2019 at 5:38

Sampath Nawgala

111 bronze badge

3 Comments

charliebeckwith Over a year ago

For the Authorization headers it all comes down to what the server is looking for in the header value. If this works then you're probably not incorrect.

maslick Over a year ago

You're probably using a confidential client, so you need to include client_secret in the request

ganesan arunachalam Over a year ago

why would anyone want to use refresh token if I have to pass client_secret for confidential client? IMO, Keycloak should return access_token just by passing client_id and refresh_token since it acts like a secret.

Collectives™ on Stack Overflow

Refresh access_token via refresh_token in Keycloak

5 Answers 5

12 Comments

1 Comment

Comments

1 Comment

3 Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

5 Answers 5

12 Comments

1 Comment

Comments

1 Comment

3 Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related