In our design, we plan to use keycloak only for user profile management and authentication. We will NOT use keycloak to secure our application , nor to do permission enforcement.
One use case will be
-
User login to keycloak using their own credential. Now I try use the below curl cmd:
curl
-d “client_id=admin-cli”
-d “username=bubu”
-d “password=pw0”
-d “grant_type=password”
“http://localhost:8080/auth/realms/demo/protocol/openid-connect/token”
Then I can get two token : access_token and refresh_token.
I think it is obvious that access_token can be attached with the following requests to access our other application.
- After our application get the request with the access_token, the application need to validate the token in order to secure the resource. In this case, we plan to add some custom claims and build-in claim (client-roles) for validation and permissions.
I did some investigation and see adding claim into JWT seems only be supported in registered client (mapper).
In this case, I have two questions:
- Is that possible to add customized/build in claims into access JWT without for a specific client?
- If the answer for question 1 is No. Then we have to register our application as a client. Then configure it under tab mapper. In this case, what rest API I can use to get the JWT for this client ?
Is that possible to give a curl example ?
Thanks in advance.