Viewing the tokens from Postgres Database.

[Amal Antony]

Hi,

Does the Postgres database of Keycloak store the tokens that Keycloak has issued after flows like Client Credentials, Authorization Code Grant flows etc...?

If yes, in which table it stores?

Can we view those tokens using the Postgres database of Keyloak?

Regards,

Amal Antony

[Vlasta Ramik]

Hello,

if you use legacy store then these objects are stored within infinispan only. If you use new storage[1] then it could be configured in a way that these objects would be stored in postgres database. Then the table name would be 'kc_single_use_obj'.

[1] https://www.keycloak.org/2022/07/storage-map

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/ec89e578-0165-4590-b70a-7c5726963bb7n%40googlegroups.com.

[Amal Antony]

Hi,

I used the 'map-storage' method you suggested but I was not able to find any rows inside the table 'kc_single_use_obj'. I searched in other tables as well, for viewing the tokens. But I couldn't find any token related data.

I started my Keycloak in develoment mode as documented in the blog "bin/kc.sh start-dev --storage=jpa --db-url=<jdbc-url> --db-username=<username> --db-password=<password>". Is there any further configurations to add with this, so that I could view the tokens after Authorization Code Grant flows?

Regards,

Amal Antony

[Michal Hajas]

Hello Amal,

There is no reason to store tokens in Keycloak database, so I would say Keycloak is not storing them. Why do you want to see/store them? What is your use-case?

The only scenario when Keycloak is storing tokens is when Keycloak acts as identity broker (when it is not Keycloak here eating the token but some other IDP) and it is stored somewhere in user area tables. I can check to give you exact details if you are interested.

Michal

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/3a08d78f-bb3a-471c-b71e-51378510a8cen%40googlegroups.com.

[Michal Hajas]

Amal, please use the reply all button when responding so other people can see your responses in this thread.

 

Did u mean the token in 'federated_identity' table. That is basically the Identity Provider's (IdP's) tokens right?

Yes, this is the token sent from IDP to Keycloak.

I want to know the link between IdP's token and Keycloak's token. Can we introspect the IdP's token in any way? Is there way to add introspection endpoint for the IdP. My objective is mainly to add custom claims in tokens. Is the only way to achieve this is by implementing SPIs?

Depends on what you want to achieve. It is possible to create IDP mappers [1], using the mappers it is possible to add claims to Keycloak generated tokens based on the token obtained from the IDP that authenticated the user.

[1] https://www.keycloak.org/docs/latest/server_admin/index.html#_mappers

On Tue, Oct 18, 2022 at 9:23 AM Amal Antony <amalan...@gmail.com> wrote:

Hi Michael,

Did u mean the token in 'federated_identity' table. That is basically the Identity Provider's (IdP's) tokens right?

I want to know the link between IdP's token and Keycloak's token. Can we introspect the IdP's token in any way? Is there way to add introspection endpoint for the IdP.

My objective is mainly to add custom claims in tokens. Is the only way to achieve this is by implementing SPIs?

If I could get the tokens from the database, we have a module(in our project) that could call that particular table and validate those fields.

[Amal Antony]

Hi,

Yes I have tried with the IdP mappers. But I couldn't retrieve fields from the IdP's access token and stamp it in Keycloak's access token. 

When I tried with fields in the IdP's ID token, some of the fields were imported but some were not.

But, I was able to import all the fields from the user info URL of IdP into Keycloak's access token.

Why am I not able to import fields from the IdP's access token into Keycloak's access token?