[keycloak-user] Token Validation Endpoint

Brian Watson watson409 at gmail.com
Wed Apr 20 11:39:20 EDT 2016 

Thank you all for the quick responses. However, I am having an issue with
that endpoint, and am assuming I am doing something wrong :)

I am making the request with a Bearer authorization header containing the
token of a client that has the admin role in it's service account. I am
testing that the client token is valid via the following curl call:

curl -s -X GET -H "Authorization: Bearer $_CLIENT_TOKEN" '
http://localhost-docker:8080/auth/admin/realms/master/users'

However, when I make the following curl request for token introspection:

curl -v -X POST -H "Authorization: Bearer $_CLIENT_TOKEN" --data
"token=$_INTROSPECT_TOKEN" \
   '
http://localhost-docker:8080/auth/realms/master/protocol/openid-connect/token/introspect
'

... I get the following response:

> HTTP/1.1 401 Unauthorized
> Connection: keep-alive
> X-Powered-By: Undertow/1
> Server: WildFly/10
> Content-Type: application/json
> Content-Length: 72
> Date: Wed, 20 Apr 2016 15:33:57 GMT
>
> {"error_description":"Authentication failed.","error":"invalid_request"}

... and the following console error output:

> 2016-04-20 15:21:45,787 ERROR [org.keycloak.services] (default task-13)
KC-SERVICES0014: Failed client authentication:
org.keycloak.authentication.AuthenticationFlowException: Client was not
identified by any client authenticator
>    at
org.keycloak.authentication.ClientAuthenticationFlow.processFlow(ClientAuthenticationFlow.java:101)
>    at
org.keycloak.authentication.AuthenticationProcessor.authenticateClient(AuthenticationProcessor.java:673)
>    at
org.keycloak.protocol.oidc.utils.AuthorizeClientUtil.authorizeClient(AuthorizeClientUtil.java:42)
>        ...
> 2016-04-20 15:21:45,791 WARN  [org.keycloak.events] (default task-13)
type=INTROSPECT_TOKEN_ERROR, realmId=master, clientId=null, userId=null,
ipAddress=192.168.99.1, error=invalid_client_credentials
> 2016-04-20 15:21:45,792 WARN  [org.keycloak.events] (default task-13)
type=INTROSPECT_TOKEN_ERROR, realmId=master, clientId=null, userId=null,
ipAddress=192.168.99.1, error=invalid_request, detail='Authentication
failed.'

Is there another method I should be using to authenticate the client for
this request? Is there something else that you see that I am doing wrong?


On Wed, Apr 20, 2016 at 10:13 AM, Thomas Darimont <
thomas.darimont at googlemail.com> wrote:

> :)
>
> 2016-04-20 16:07 GMT+02:00 Juraci Paixão Kröhling <juraci at kroehling.de>:
>
>> On 20.04.2016 15:53, Brian Watson wrote:
>> > Is there an endpoint I can call with a token that will tell me if the
>> > token is still valid? Is there another way I should be performing this
>> > check?
>>
>> Make a POST sending "token" as request parameter to
>> /realms/{realm}/protocols/openid-connect/token/introspect
>>
>> - Juca.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160420/bc3ccabc/attachment.html

More information about the keycloak-user mailing list