I use the following code to retrieve (generate) an access token:
const kcTokenEndpoint = `https://${kcHost}/auth/realms/${realm}/protocol/openid-connect/token`;
const response = await axios({
method: 'POST',
url: kcTokenEndpoint,
data: qs.stringify({
client_id: keycloakClientId,
client_secret: keycloakClientSecret,
grant_type: 'client_credentials',
}),
headers: {
'Content-type': 'application/x-www-form-urlencoded',
},
withCredentials: true,
});
The JWT in response.data.access_token
is valid for 5 minutes. Should I be using it to fetch a longer-lived (10 hour) session token? Should I just be fetching a session token from the start?
I can’t really find any documentation on how token generation and/or token exchange should be used in a Client Credentials flow, e.g. an application that accesses a remote API which expects a signed JWT.
Basically the M2M flow that Auth0 offers.
Thank you for any info.