How To Get Access Token From Keycloak Using Postman

Accessing Keycloak with Postman: A Comprehensive Guide for API Testing

Introduction

Keycloak is a powerful and flexible open-source identity and access management (IAM) solution. It provides a central and secure way to manage users, roles, and permissions for your applications. You can leverage Keycloak’s robust authentication features to secure your APIs and ensure only authorized users can access sensitive data.

Postman is a widely used API platform for building, testing, and documenting APIs. It provides powerful tools for interacting with APIs, including the ability to send requests and inspect responses. Combining Postman with Keycloak allows you to automate your API testing workflows and ensure that your security measures are robust.

This comprehensive guide will walk you through step-by-step instructions on how to obtain an access token from Keycloak using Postman, enabling you to gain access to your Keycloak-secured APIs for testing purposes.

1. Keycloak Setup: Essential Prerequisites

Before diving into the Postman implementation, ensure you have a Keycloak server up and running. If you don’t have one, refer to the Keycloak documentation for installation and configuration instructions.

Keycloak provides a user-friendly admin console for managing users, roles, and applications. You can create a new client application within Keycloak to represent your API.

Important: For this tutorial, we’ll utilize a client application named “my-api” with the following parameters:

• Client ID: my-api
• Client Secret: my-api-secret
• Access Type: Confidential
• Valid Redirect URIs: (Leave it blank for now)

Note: Keycloak uses a client secret, stored securely on your application’s server, to authenticate requests from your API. Keep this secret confidential.

2. Setting up a Postman Collection: Organizing Your Requests

Within Postman, create a new collection to organize your API test requests. This collection will serve as a central hub for all your Keycloak token-related calls and API interactions.

3. Obtaining an Access Token with Postman: The Key to API Access

This is where the magic happens. We’ll leverage Postman to generate an access token, which will then be used to authorize subsequent API requests.

3.1 The Authentication Endpoint: Keycloak’s Gatekeeper

Keycloak provides a dedicated Token Endpoint designed specifically for retrieving access tokens. This endpoint facilitates the authentication process and ensures secure access to your API.

Endpoint URL: Typically, this endpoint is located at https://your-keycloak-server/auth/realms/your-realm/protocol/openid-connect/token.

Example:

https://keycloak.example.com/auth/realms/my-realm/protocol/openid-connect/token

Replace:

• your-keycloak-server with your actual Keycloak server URL.
• your-realm with the name of your Keycloak realm.

3.2 Postman: Constructing the Authentication Request

Navigate to your Postman collection and create a new request.

Request Method: POST

Request URL: The Token Endpoint URL from the previous step.

Headers:

• Content-Type: application/x-www-form-urlencoded

Body:

Use the form-data format to send the following parameters:

• grant_type: password
• client_id: my-api
• client_secret: my-api-secret
• username: Your Keycloak username
• password: Your Keycloak password

Sample Code:

{
  "grant_type": "password",
  "client_id": "my-api",
  "client_secret": "my-api-secret",
  "username": "john.doe",
  "password": "password123"
}

Important Notes:

• Security: Never hardcode your credentials directly into your Postman requests. For production environments, use environment variables or secrets management for secure storage.
• Client ID & Secret: Replace my-api and my-api-secret with your actual Keycloak client application’s values.

3.3 Executing the Request and Extracting the Access Token

Send the request using Postman. If the authentication succeeds, you’ll receive an HTTP 200 OK response. The response body will contain a JSON payload that includes your precious access token:

Sample Response:

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNjg0MjI1NjAwLCJleHAiOjE2ODQyMzI4NjB9.e3U2t4-0a2h_wC9IuQ71lC1N6QkYx2a4U54aT8O8Y",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "refresh_token_value"
}

Extracting the Access Token: Copy the value of the access_token field, which is the most crucial part for authorizing API calls.

4. Using the Access Token to Access Your API: The Power of Authentication

Now, you have your access token! This token will be the key to unlocking your Keycloak-secured API.

4.1 Authorizing API Requests: Adding the Token to Your Headers

Use the access token in subsequent API requests by adding it to the Authorization header with the Bearer scheme:

Authorization Header:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNjg0MjI1NjAwLCJleHAiOjE2ODQyMzI4NjB9.e3U2t4-0a2h_wC9IuQ71lC1N6QkYx2a4U54aT8O8Y

Replace:

• The access token value with your actual access token.

4.2 Testing Your API: Verifying Access and Functionality

Finally, you’re ready to test your API endpoints using Postman. Send API requests to your protected endpoints with the correctly formatted Authorization header.

Example:

Let’s assume you have an API endpoint at https://api.example.com/users that requires authentication.

Request:

• Request Method: GET
• Request URL: https://api.example.com/users
• Authorization Header: Authorization: Bearer [your-access-token]

Note: Replace [your-access-token] with your acquired access token.

If the request is successful, you’ll receive a 200 OK response with the desired data. This confirms that your API is secure and requires proper authentication through Keycloak.

Keycloak Access Token Management: Best Practices for Secure API Testing

• Environment Variables: Store sensitive information like your client secret and access token in environment variables within Postman. This ensures that your credentials are not directly embedded in your requests.

• Secrets Management: For production environments, consider using a dedicated secrets management service to securely store your credentials and reduce the risk of exposing them.

• Token Expiration: Pay attention to the expires_in value in the token response. Access tokens are typically short-lived. Your API tests need to be designed to handle token expiration and refresh tokens, if applicable, for long-running testing scenarios.

• Refresh Tokens: Keycloak supports refresh tokens, allowing you to obtain new access tokens without needing to re-authenticate with user credentials. Use a dedicated Postman request to refresh your access token when necessary.

• Security Testing: Integrate Keycloak token-based authentication within your API security testing practices to ensure that your API is robust against unauthorized access and data breaches.

Conclusion: Empowering Secure API Testing with Keycloak and Postman

This guide has provided you with all the essential knowledge you need to interact with Keycloak for secure API testing using Postman. By leveraging the power of Keycloak’s authentication features and Postman’s API testing capabilities, you can ensure that your APIs are not only robust but also securely protected.