From 5b971deaadefb761fcbae4a0a0b7dbabe0d46292 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Couralet?= <cedric.couralet@insee.fr>
Date: Wed, 20 Nov 2019 15:32:14 +0100
Subject: [PATCH] Add doc for retrieving access_token from FC (fixes #4) (#24)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Cédric Couralet <cedric.couralet@insee.fr>
---
 FAQ.md                  |  96 +++++++++++++++++++++++++++++++++++++++-
 assets/store-tokens.png | Bin 0 -> 4593 bytes
 2 files changed, 95 insertions(+), 1 deletion(-)
 create mode 100644 assets/store-tokens.png

diff --git a/FAQ.md b/FAQ.md
index 3e6d74d..c4492d9 100644
--- a/FAQ.md
+++ b/FAQ.md
@@ -20,4 +20,98 @@ $ tail -50f <KC-DIR>/standalone/log/server.log
 ...
 ```
 
-You find here the claim name that you can use to add "" mappers in order to store user information in Keycloak user attributes  
\ No newline at end of file
+You find here the claim name that you can use to add "" mappers in order to store user information in Keycloak user attributes  
+
+## Retrieving the France Connect access_token
+
+Keycloak is able to store the tokens from France Connect. Those tokens can be accessed by any clients to request data providers.
+
+To do that, you will need to configure the provider to store tokens and enable the rights for users to read those tokens, this is done like this :
+
+![store-tokens](/assets/store-tokens.png)
+
+To retrieve the token from keycloak, you cant do a request like :
+
+```http
+GET /auth/realms/{realm}/broker/{provider_alias}/token HTTP/1.1
+Host: {keycloak_host}
+Authorization: Bearer <KEYCLOAK ACCESS TOKEN>
+```
+
+with provider_alias the alias you chose for the france connect provider. The response is something like:
+
+```json
+{
+	"access_token": "49357726-38d8-43eb-9cd5-ebc1f9241569",
+	"expires_in": 60,
+	"refresh_expires_in": 0,
+	"token_type": "Bearer",
+	"id_token": "eyJ0eXA[...]Ap6w8jteXEYml2z_Jg",
+	"not-before-policy": 0,
+	"accessTokenExpiration": 1574257750
+}
+
+```
+
+With `access_token` the token you can use to call data providers. 
+For example, you can use the France Connect endpoint to validate the token :
+
+```http
+POST https://fcp.integ01.dev-franceconnect.fr/api/v1/checktoken HTTP/1.1
+Content-Type: application/json
+
+{"token": "49357726-38d8-43eb-9cd5-ebc1f9241569"}
+
+---
+
+HTTP/1.1 200 OK
+Server: nginx
+Date: Wed, 20 Nov 2019 12:01:23 GMT   
+Content-Type: application/json; charset=utf-8    
+Content-Length: 658     
+Connection: keep-alive  
+Vary: Accept-Encoding   
+ETag: W/"292-fbZV9XPGUnzK7aJJqL17bA"  
+Vary: Accept-Encoding   
+Strict-Transport-Security: max-age=15768000      
+        
+
+{
+  "scope": [   
+    "openid",  
+    "identite_pivot", 
+    "email",   
+    "address", 
+    "phone"    
+  ],      
+  "identity": {
+    "given_name": "Angela Claire Louise", 
+    "family_name": "DUBOIS",       
+    "birthdate": "1962-08-24",     
+    "gender": "female",            
+    "birthplace": "75107",         
+    "birthcountry": "99100",       
+    "preferred_username": "",      
+    "email": "wossewodda-3728@yopmail.com",                 
+    "address": { 
+      "country": "France",
+      "formatted": "France Paris 75107 20 avenue de Ségur", 
+      "locality": "Paris",
+      "postal_code": "75107",      
+      "street_address": "20 avenue de Ségur"       
+    },    
+    "phone_number": "0123456789",  
+    "_claim_names": {},   
+    "_claim_sources": {   
+      "src1": {} 
+    }     
+  },      
+  "client": {  
+    "client_id": "8436aea4c7d3da8341c605d284e2d0512d76e0a24f633f8642016a44a189cdfd", 
+    "client_name": "Test Keycloak" 
+  },      
+  "acr": "eidas2"
+}
+
+
+```
\ No newline at end of file
diff --git a/assets/store-tokens.png b/assets/store-tokens.png
new file mode 100644
index 0000000000000000000000000000000000000000..9a0d050ea4747965307b66146b54d80eaf49fd06
GIT binary patch
literal 4593
zcma)=c{tQ>zsFT7YxX6Bu}p-*WSg>OWX)QZ(x8wLStey)ei)6h%bqErA$!OYqA-Yz
z-54@5l0Ew}Mx4><`JLx_u5+H}{PA7x&vo6)_j7%|@7Mdj(Pk!ktV{w-baZsA2Kv`-
z(9s<;p}p%eoTA<He1qT89>=_I=t1eq@PhNS20dKMSc{IXB7u4T-bq@U(M$ifHyz!X
z)}!lKhvyq7Iy#Q02G_JK{Op!rP_N%1l2Fvvea6{Ii2N5evCE(2zq5ZbV-DB5P`&BJ
zfG-qR5Hi%V!PIiwyPO!z!H7km^Nfq#2cL}qz{;ny=7!>x4BekUc3r}?2V}n9;*?uk
z_b1o{0vs1EmV+mrt(*XM+669G6G+OYBV*m|+9C|$BG1Cx4A|+DKp>NFktmQTf|Fhg
z#E4GrgtSb_2LuH4_4lt42Z==V$cWX~rr^Ndsb%`($0*Y1U&uBCCqdZrP;aEy+(>q|
z`p(!AzmSlQqQHc=grwxXD&qHI&^8yRWD;UEiIkJY70m#Yl9iRsztE`ea7dfyEQ%dI
zT_*-5t7RlY(6QQ4RZ}0tT6AjPzD=x5gbbcIT0@Eio<gCdM7CuL>tn7NW-vBCUDQ&2
zo|V-<FcRN!LgPXwHRUM?Z?1!E^OqMz{CwuphBDL!4;4Lhx?h->70TW7fqGaBY+pa_
z(^P_Vxwm}wnOl%y!f@vT_bWXT$v&-r)<f?FktO-_J5g5Ou~naYx629ykr2<uo7d{*
ze*E}xgO?K?AVM2BZGq{HVx-IBjzg#BUug|J{2YOe=Z9xKWhyNaV_62J@KeWB7BWCR
z&djjj-b~%F$V~9#ugw>~`!^8LQ5Ke92811uXxX%cX(^`gAZ#(K`<&9M9c@k1a#-*d
zdEgS0r{Na1l1DJX&9T9&Uq>wI&qp`3`B1nO15TV0Gk=d%pwoV7C4ACZ>yBBx=(Q=A
zeMWx)C7JH0CiX0MYE6e~1iH=r7Q|$;Wy1`Gl@5NseWmZAon=j5yjb`qtJC=si=Uu8
z_jl1Oq2iG_v)k^D@X1@gVyo;rV}e1Rjks<1r8{<7Qm~M+Lt*Z>2Nq`!Puo;SFW=1h
zzIop$YP!K(I$Qh>w!Il|hf|bEk9svRB0^7eaqHOq0#I{t3!|dhx|!`1qmtn2!W2^X
zR%#e~!OU_zrTc@tZn_m1Xxm=?>mFt)8wVNZ&3zaI;F?{RUVY@iYyZ~Kfo$aBR-6c7
zlK|muTTVW<C<xQ_rPobn6|cOC3MlDoH-3S2XDu6rEdd`f5Q@4oysi`LEI8pchLM#U
zN^?7V@){HdoROb|9&j8GIk73;l(s0bUI;;%*}cM{6|8UBi>>bOJcpFe<fvHfh$fRX
z*$!>fBvzeYF}^Pf8jZXlE^jH2Xm1nwmL1N!*@6EEjQ&=*c*RZT^b@?+TG(3k0l;eu
z6&|t~@S5!yny>DxicWcHX(V<^R!!S6Ltx`uJ&d$A?rgnDNo=DycW^gnz?oo?(-fzY
zFYMnOU^?Sf=nRnU^z~b}ZNvI63rONk$Hy<g9#>UWNim}p)Dt1eA_8Z_dYsxgMEe})
z1Q<ibOf;~BAL*auYLuf>V-zF_e`)z=7hs>qsc~i7duZTHxZ!={;jj@8N8cqQ=<6BX
zVwiPI3sh*`5bxmL*g>sXgSq878DRJT4KvRNYWl}o_dK<Q0g(&wDIcAd^)q~^edoK)
z4No*Ocl#{{$7ZF~-+DixE<&(A1;r5TmNT;TC>=f0uJz#+mF4yM;BG@(Imt}WEU}me
z)2JSA9aGHEBTH5_uZf*TEI;Ivt<TKN{8O%nY`IBx$~P=NI~bT?p1lEq5DQaI$4Th#
zxWe$MO)11rU5fd!l{<}fgxh>G&f`gDbXJrTdAmdRm7%ucu~x<BOfXw6Pas~0@ruFe
zH&A7tY99sP7iqh#+2|PkYdvaEl|x2>1p%()nEl2de<=E)Y(4;WY5Pi-9UC%liC+R=
z=TpOs-na`Te?526i2Wz&7*Y(_zfuD&zmZpui<pvBo*R8P@_h~tjT8Bp-&%h`Nml8K
z<IN}4+mPK18FP%=aoOVf_OZB2S|``u5X4s|^m8G^HUK>O$$9B!ZWT-Gymk$CYnA9b
z?JG%n7aaz-8NrqWaE{gRIIa^ByzrqK68zF`H$v2WLEh41PP2nLiXO`V0dOe?{Sj0!
z!mhR^8jdxDa>DO+1R)$*R?@7%4RuI+wPeVAW?D8vHfObc^%O$5C^SN{O6Fk~zT*`P
zlU19^FIzu9KmQL!cs(_+(-#%V^*}Vg#U&|HJ}lcrh$lw!y-or6i_=V{?ZhL*d2=;W
zTPyCxCl$E#0cL0aUR@0yNqMp_j@P5cMvxp{3Q0q?RK}DP+?d?7iK{!4Y7@citg7j7
z9WmC!M=n!k8#Z<uq$s7WbrM;s*s*5`7kGyV!%PoGChM42MpIy>ml+Tvtjp5&SG4_<
z_-czZYLSMsQKOP*?~_U%52!Lb-1(UhoP~N>-0~lNPmy2G1#a^KJme9|UmH&pEP@X#
zzO8sYLPA1=3!}XHjg5`57eM&Ut7OonGX@wrZVuV{1fXXA-!W0VP4hp&VsPn5p*4bb
z{|6QzgoZUOwwt}KZ>f)&4?E%$6eCgocdyoEpXu@uK8S_FF43`J5=khx7w2YLzWnJf
zJ8k-POHS%<@a=ZSb|)vOY5MwU?)qk|Cz0)156#A_;Jtr<rp12kSt5jyhE5s+{}*(M
zFo+rGW9YTm4WMKYL%2RCr{sU?(h1qE72n$2e7NVXGj9TiOWNGIqw=dJ&#85sk^cDK
zE2~pH{J}8QSE{KQ__LY_zH%knMX`R?$iyVNJWYHX`2S}u=WNEmq814OkYvPQk2f|p
z{-_d-$(*xq{*k>Dd9DyvLWIv6s>5b%Y|ZZ@>ZE`606V#n!{VP%sgH&<WEJHQToY4M
zPgd*3RBlKZbyK$i#T9~M;g488j|<whQ=jqYRqK_lNolKFxm3M-yWLj%&YmTw@hV_3
z-6l^vvOk>Be}$AdCaYpIv)nUUZ?e8~?`-f-pP|ei`Aj3gfL8&lCtuo3K$lk3#$MF#
z^}W7|5f&VLV`gQUFg0~=vmW?ry0*X}0bBGKrLsyQ8e!Z(;$gj_CLx}=N$kSPhb{P0
z=#v;dQZwIx%zq-cJ~^nNIEYB$DF0#I_5{(gasACwkleOVs8n1bUwWFk-_0Vq)Y5N$
zFu-_Zj4UVm^-;+t9!G5FnqgZg^{3Zskd*LaMWZgJ0pcd~A$pNH`YFXj0zuwoHnEkv
zS(XLTZLEv;U52G^pFg($c#N)E8bFj*GVHa*>4UmlO~0+rbM`;ANj}}$9G%Pw|2X|u
zjtCoZUBA3?>=em0XoBW=R+wq>q!NAbi$?tOrUIg_8_{>4tg)Sv1uEZY^kYORxz@-5
zPzf)eCTt}E?WOGDyj<iYE_lV-p*JY{`j|%WjBub(WZs(O_s{M>cv4zsfE?8&*1b^4
zE^NqXeQ<6N%_N-54Q&izjNTxOllJ-NgF3oQa;|p3nWP0T9@^92np7cGl~Tnxv>Hma
z7%KZm;@2`&{Q5?Y?{ERr_!?c<#d`zP)<2{#%A622Vdf&7`9E9%jPGAffmeSI9{*be
zXc^VL_hJ7;GLq@s<V$V6a(h|R6m9<Y_0X%KODy|2496pUxGPnhQn5Efsw!2S&Cgy5
zq=E%ma^^MRiJrUWotHQlBD4;x-;6&f3^&B0;$BE{21GxSsGEqnxiEO-5*j%C4g%wr
z2_M({0L6jD4FGro5N)6!Fs}pVD*4>sQF~YAS5)~H_O4!3jp7~`R6_jV^isg?=_sxb
zHQh#EC|(tdvB+@0p)AO=*k+Y})?a=KeMp$4#uC(wBSV_CQ?As(H{p6SU&In=bv--u
zyzW$C_tF!7ODv^=x;HfZQ3F}&xD&kL_<F;Qxob5=NPJ8E04_RFwY(>`c3fpTf3CW^
z`mN&ENVp5jO-Er^dbeuGM%R(gnyn_N=8tOja@R4Td@or!GkAf^a+itMjGmRPohvCR
z`#8r^7Nb!1;<pyReu(It91ruJTu*ux9f#Qsr5bV<C}NvOM=yFtpx@D*G%_2=QaW-z
z{-*3a9glG5r8F8#7or^@H++)jb#t-x4g@kwz@5bI8bE_)D%A$a#Jtr>p&~ZH_q^3E
z4zG8DHBQbYC0uM6J->jf<q@850V_WnoQwbHQu$eY#_x6g;_?Hp!hX>*w0&>8cSTZe
zT@&N2Sf0*d*PQO2$TW2PWP|BS@#B@()TUuDS`#o2|AZ9??XCIQEuf*;^(bY4Zl&cC
zDF8T~kCnCZ@MY_yr2vGtR{b$+e!z8G$JkolYTJ^a=zP0yaR!w9T`jOWJh`@G%@x6u
zL(~b9>`KdoXu5k=(JJf9m;e4(FCof4=|vA@$*lFfPlinEJsrrJ^lCC8*-4sX@bw!~
z+;HXS1KarHaZk6ZZVn~36{5VIf-&ck{DJ|sl&Wr@V#afNkNbFD8qQ4yOt^e!G<<it
zLQe>0b@~0Nl3-+s=$7{BJJ~}wCj47@$t=^2T5@BgJ^uOq#eoE}12M@M_x`s12xH!`
zE1C<gZX<N&YqPlVBz7prZM76;f0hQ?(>_KOp(etJ_>L|XZCLEXw#$&G)1mt1ZuO*`
z*bniQgcDObJ}g{tm?}+yJOTo)+!saUqts&*=9Zxm!)Fe?*mGV1t?`(vKP#B>o9<y8
z2IoSpo{wstSDtXbIemzca^{rc8*HsE+<X7L#<)$2@fKDJ8Jwso6x%X6$qY<RSF}ve
zPoR0V)TjHlF<gET3b=jZ47RSYUO;I(jP(i7Ca%+be)Qdhr0Fn)Oi)6$IYv|$?u?KH
z{TH+}8-SP)6ys$Fq(E=GW5ei>hF&V_N0^F3K#61Cc2R(8mZ0|6LAwOgmj{be3`Tdw
z`r^0(;x1@CC~DfiB`!Z29^_xtv;`iZP%I`|^Vi0WhgBA@tC2cPhT1{I&h}Ry^G@$L
zk{dnTc@or8knC`wBY7e3@slo=I`|+Mn>UTgPLuEUW4#$82`B<?KBQxz`BQQxkMjLl
zM>7e$@z^*`uOkeY+9-7A0$$vDI2FUP7s~%_RsXsuTdAg&IIr)cdx4iOyfk<@?m+WZ
znEp<NvX|6T0@a2_97;A4=5p!%46<oJ9``p&D8#(O$;S=6lB#1X(D^el+OVNvo^wVQ
zCZlmL3uI-YXWY1%E&0CeM_t5SzN^x~>tx~Tz9hH^5(c!-+{AS{0wJEajMJB0mk15J
z!S#1*s;E<~^LZ#8;I5dd<&1A7JyA*By~EreF}K<eG&8pnIjW<OgWbr|Qa+UOVz=(U
z@oV~I!7<CG$4^&XWj!o|Js4B*92KUVvrJqC?|!8QG7TDG9EyYq?LJevS<jyv-lq8{
z(V3f1#1zi@_p=4Yu&QK003M{U!7ct!=~Z9IWhkckASdegmd!+LnzrqMa!ln?ch?-d
zpkyO95G}?|F4>Y1qoww@r$Rz{G<1+LKU-03|LiWjX|ec2*4Gw)cKGe0Z4cI^|L*nG
zL*>9VI80k9B3r$NYV7xGPYIgS_mYd{RR7Qr$o^bK_R+~fM8cOkHA?4(H)<y$6eR_e
w`l+-p2h#}LHfl0-(ER&E<KNn{<GY%_)QkL`;%q3iV;VXG9g}Ni(7WOP1ssatb^rhX

literal 0
HcmV?d00001