KEYCLOAK: Obtaining Access token by 'user name' only (without password)
You don't specify in your question if the current user is logged in. Are you validating user specific actions, or you want to retrieve user roles for the application instead?
The user is logged in and he is performing some action
I suppose you're using some keycloak adapter. Then just retrieve the session object and you should have the extra info somewhere in there.
If not, you can just parse the request yourself. When using OpenId Connect, the access token is always sent for each of the requests, in the Authorization
header. The token is base64 encoded, you can decode the token yourself.
The application is performing some action for some registered user, without him logged in
User access tokens are meant to provide permissions for users. As you say in your question: As a third party application, I want...
so here you are not acting as a logged user, but as an application, so you need to go with client credentials instead. Just give the client permissions to list all the users and their roles (probably it's enough with the view-users
role, see the link below) and log in with client credentials grant. Then you can handle fine grained permissions in your application business logic.
See also:
- Keycloak Client Credentials Flow Clarification
- Keycloak spring security client credential grant
- How to get Keycloak users via REST without admin account