Skip to content
Postman API Testing Tips

How To Get Token From Keycloak Using Postman

API Testing Blog

Getting Tokens from Keycloak using Postman

Keycloak is a popular open-source identity and access management solution. For many APIs, authentication with Keycloak is a mandatory step. This guide demonstrates how to use Postman to obtain access tokens from Keycloak, a crucial aspect of API testing.

Understanding Keycloak Authentication Flow

Keycloak utilizes the OAuth2.0 standard for authentication. The common flow for obtaining access tokens involves:

  1. Authorization Request: The client sends an authorization request to Keycloak containing the requested scopes.
  2. User Authentication: The user is redirected to Keycloak for login.
  3. Token Issuance: Upon successful login, Keycloak issues an access token and a refresh token to the client.
  4. API Access: The client uses the access token to make authenticated calls to the protected API.

Step-by-Step Guide: Obtaining a Token Using Postman

1. Keycloak Configuration:

  • Obtain Credentials: Obtain the Keycloak Realm URL, Client ID, and Client Secret. These credentials are usually provided by the API developer.

2. Setting up the Postman Environment:

  • Environment Variables: Create a new Postman environment and store the following key-value pairs:
    • keycloak_url: Your Keycloak server URL (e.g., http://localhost:8080/auth).
    • client_id: Your specific Keycloak application client ID.
    • client_secret: Your specific Keycloak application client secret.

3. Authorization Request:

  • Create a New Request: In Postman, create a new request.
  • Request Method: Select POST as the request method.
  • Request URL: Assemble the URL using the environment variables: {{keycloak_url}}/realms/{{realm_name}}/protocol/openid-connect/token
  • Headers: Include the following headers:
    • Content-Type: application/x-www-form-urlencoded
  • Body: Use the form-data body type and add the following key-value pairs:
    • grant_type: password
    • username: Your Keycloak username.
    • password: Your Keycloak password.
    • client_id: {{client_id}}
    • client_secret: {{client_secret}}

4. Sending the Request:

  • Send the Request: Execute the request in Postman.
  • Success Response: Upon successful authentication, Keycloak responds with a JSON object containing the access token, refresh token, and other details:
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",  // Access token
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", // Refresh token
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "openid profile email"
}

5. Accessing the Access Token

  • The access token is readily available in the response body. You can copy and paste it into your API testing scripts or directly use it as an authorization header in subsequent API calls.

6. Saving the Token (Optional):

  • Global Variables: To reuse the access token for subsequent requests, store it as a Postman global variable.
  • Use the {{access_token}} variable in the authorization header when making API calls.
Authorization: Bearer {{access_token}}

Additional Notes

  • Authentication Flow Variations:
    • Client Credentials Grant: If your application is a server-side app, you can use the client_credentials grant type in the body of the authorization request. This grants access based on your client ID and secret without user authentication.
    • Refresh Tokens: When the access token expires, use the refresh token to obtain a new access token.
  • Scope Management: Define the necessary permissions (scopes) for your client in Keycloak to restrict access to specific API resources.
  • Keycloak Admin Console: Keycloak’s admin console provides an intuitive interface to manage users, roles, and applications.

Practical Examples: API Testing with the Token

  • Authorization Headers: Use the access token in the Authorization header for future API calls.
Authorization: Bearer {{access_token}}
  • Storing the Token in a Variable: Save the access token retrieved from Keycloak in a Postman variable named access_token for later use:
pm.globals.set("access_token", pm.response.json().access_token);

Conclusion

Retrieving an access token from Keycloak using Postman is a fundamental step for API testing. By understanding the authentication flow and using Postman’s powerful tools, you can efficiently obtain and manage access tokens for testing your Keycloak-secured APIs.

API Testing Blog