Keycloak curl Device Authorization Grant

Home | Contact

Keycloak curl Device Authorization Grant. Usefull in scripts for obtaining an acess token from clients that have OAuth 2.0 Device Authorization Grant enabled.

#!/bin/bash

# Keycloak Device Authorization Grant
#
# Dependencies:
#
#   'curl jq'
#
#   https://curl.se
#   https://jqlang.org


### ----------------------------

usage()
{
  printf 'Usage  : %s -a %s -r %s -c %s\n' "${0##*/}" \
    "<AUTHORITY>" "<REALM>" "<CLIENT_ID>"

  printf 'Example: %s -a "%s" -r "%s" -c "%s"\n' "${0##*/}" \
    "https://keycloak.example.com/auth" \
    "myrealm" \
    "myclient"

  exit 2
}

while getopts 'a:r:c:?h' c
do
  case $c in
    a) authority=$OPTARG ;;
    r) realm=$OPTARG ;;
    c) clientId=$OPTARG ;;
    h|?) usage ;;
  esac
done

[[ -z $authority || -z $realm || -z $clientId ]] && usage


### ----------------------------

discovery="$authority/realms/$realm/.well-known/openid-configuration"

endpoint="$(curl -sSL "$discovery" | jq -r '.device_authorization_endpoint')"

res="$(curl -sSL \
  --data-urlencode "client_id=$clientId" \
  --data-urlencode "scope=openid" \
  --url "$endpoint")"

interval="$(jq -r '.interval' <<< "$res")"
code="$(jq -r '.device_code' <<< "$res")"
verificationUri="$(jq -r '.verification_uri_complete' <<< "$res")"

read -rp "$(tput bold)Press Enter$(tput sgr0) to open $verificationUri in your browser..." >&2
open "$verificationUri"

dots="..."
while :; do
  dots=".$dots"
  printf "\rpolling%s" "$dots" >&2

  sleep "$interval"

  res="$(curl -sSL \
    --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:device_code" \
    --data-urlencode "client_id=$clientId" \
    --data-urlencode "device_code=$code" \
    --url "$authority/realms/$realm/protocol/openid-connect/token")"

  error="$(jq -r '.error | select(.!=null)' <<< "$res")"

  if [[ -n $error ]]; then
    if [[ $error == "authorization_pending" ]]; then
      continue;
    else
      printf "ERROR:\n%s\n" "$res" >&2
      exit 1
    fi
  fi

  accessToken="$(jq -r '.access_token' <<< "$res")"

  if [[ -n $accessToken ]]; then
    printf "\n" >&2
    break;
  fi
done

printf "%s" "$accessToken"
download: device_authorization_grant.sh

Warning: Undefined array key "javascripts" in /var/www/thrysoee.dk/public_html/functions.php on line 72
©2002-2025 THRYSOEE