[keycloak-user] Token Validation Endpoint

Thomas Darimont thomas.darimont at googlemail.com
Wed Apr 20 12:38:00 EDT 2016 

Hello,

after having looked at the tests:
https://github.com/keycloak/keycloak/blob/d9f82affb0ca36b066b2b1396e953ae126c349e0/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java#L228

... I think you need to use basic authentication with client credentials
for the token introspection endpoint.

here is a small example (bash with jq (json query required)

KC_REALM=your-realm
KC_USERNAME=a-realm-user
KC_PASSWORD=a-realm-user-password
KC_CLIENT=a-test-client
KC_CLIENT_SECRET=a-test-client-credental
KC_SERVER=192.168.99.100:8080
KC_CONTEXT=auth

# Request Tokens for credentials
KC_RESPONSE=$( \
   curl -k -v -X POST \
        -H "Content-Type: application/x-www-form-urlencoded" \
        -d "username=$KC_USERNAME" \
        -d "password=$KC_PASSWORD" \
        -d 'grant_type=password' \
        -d "client_id=$KC_CLIENT" \
        -d "client_secret=$KC_CLIENT_SECRET" \
        "http://$KC_SERVER/$KC_CONTEXT/realms/$REALM/protocol/openid-connect/token"
\
    | jq .
)

KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)
KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token)

# Show all keycloak env variables
set | grep KC_*

# Introspect Keycloak Request Token
curl -k -v \
     -X POST \
     -u "$KC_CLIENT:$KC_CLIENT_SECRET" \
     -d "token=$KC_ACCESS_TOKEN" \
   "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token/introspect"
| jq .

gives me:

{
  "jti": "xxxx",
  "exp": 1461170489,
  "nbf": 0,
  "iat": 1461170189,
  "iss": "http://xxxxx/auth/realms/eurodata-test",
  "aud": "test-client",
  "sub": "xxxxx",
  "typ": "Bearer",
  "azp": "test-client",
  "session_state": "xxxx",
  "name": "Theo Tester",
  "given_name": "Theo",
  "family_name": "Tester",
  "preferred_username": "xxx",
  "email": "tester at localhost",
  "client_session": "xxxx",
  "allowed-origins": [],
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "view-profile"
      ]
    }
  },
  "client_id": "test-client",
  "username": "xxx",
  "active": true
}

HTH

Cheers,
Thomas

2016-04-20 17:39 GMT+02:00 Brian Watson <watson409 at gmail.com>:

> Thank you all for the quick responses. However, I am having an issue with
> that endpoint, and am assuming I am doing something wrong :)
>
> I am making the request with a Bearer authorization header containing the
> token of a client that has the admin role in it's service account. I am
> testing that the client token is valid via the following curl call:
>
> curl -s -X GET -H "Authorization: Bearer $_CLIENT_TOKEN" '
> http://localhost-docker:8080/auth/admin/realms/master/users'
>
> However, when I make the following curl request for token introspection:
>
> curl -v -X POST -H "Authorization: Bearer $_CLIENT_TOKEN" --data
> "token=$_INTROSPECT_TOKEN" \
>    '
> http://localhost-docker:8080/auth/realms/master/protocol/openid-connect/token/introspect
> '
>
> ... I get the following response:
>
> > HTTP/1.1 401 Unauthorized
> > Connection: keep-alive
> > X-Powered-By: Undertow/1
> > Server: WildFly/10
> > Content-Type: application/json
> > Content-Length: 72
> > Date: Wed, 20 Apr 2016 15:33:57 GMT
> >
> > {"error_description":"Authentication failed.","error":"invalid_request"}
>
> ... and the following console error output:
>
> > 2016-04-20 15:21:45,787 ERROR [org.keycloak.services] (default task-13)
> KC-SERVICES0014: Failed client authentication:
> org.keycloak.authentication.AuthenticationFlowException: Client was not
> identified by any client authenticator
> >    at
> org.keycloak.authentication.ClientAuthenticationFlow.processFlow(ClientAuthenticationFlow.java:101)
> >    at
> org.keycloak.authentication.AuthenticationProcessor.authenticateClient(AuthenticationProcessor.java:673)
> >    at
> org.keycloak.protocol.oidc.utils.AuthorizeClientUtil.authorizeClient(AuthorizeClientUtil.java:42)
> >        ...
> > 2016-04-20 15:21:45,791 WARN  [org.keycloak.events] (default task-13)
> type=INTROSPECT_TOKEN_ERROR, realmId=master, clientId=null, userId=null,
> ipAddress=192.168.99.1, error=invalid_client_credentials
> > 2016-04-20 15:21:45,792 WARN  [org.keycloak.events] (default task-13)
> type=INTROSPECT_TOKEN_ERROR, realmId=master, clientId=null, userId=null,
> ipAddress=192.168.99.1, error=invalid_request, detail='Authentication
> failed.'
>
> Is there another method I should be using to authenticate the client for
> this request? Is there something else that you see that I am doing wrong?
>
>
> On Wed, Apr 20, 2016 at 10:13 AM, Thomas Darimont <
> thomas.darimont at googlemail.com> wrote:
>
>> :)
>>
>> 2016-04-20 16:07 GMT+02:00 Juraci Paixão Kröhling <juraci at kroehling.de>:
>>
>>> On 20.04.2016 15:53, Brian Watson wrote:
>>> > Is there an endpoint I can call with a token that will tell me if the
>>> > token is still valid? Is there another way I should be performing this
>>> > check?
>>>
>>> Make a POST sending "token" as request parameter to
>>> /realms/{realm}/protocols/openid-connect/token/introspect
>>>
>>> - Juca.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160420/12c08d7c/attachment-0001.html

More information about the keycloak-user mailing list