[keycloak-user] Token Validation Endpoint
Brian Watson
watson409 at gmail.com
Wed Apr 20 12:50:05 EDT 2016
Confirmed! Thank you all so much for the help!
On Wed, Apr 20, 2016 at 12:38 PM, Thomas Darimont <
thomas.darimont at googlemail.com> wrote:
> Hello,
>
> after having looked at the tests:
> https://github.com/keycloak/keycloak/blob/d9f82affb0ca36b066b2b1396e953ae126c349e0/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java#L228
>
> ... I think you need to use basic authentication with client credentials
> for the token introspection endpoint.
>
> here is a small example (bash with jq (json query required)
>
> KC_REALM=your-realm
> KC_USERNAME=a-realm-user
> KC_PASSWORD=a-realm-user-password
> KC_CLIENT=a-test-client
> KC_CLIENT_SECRET=a-test-client-credental
> KC_SERVER=192.168.99.100:8080
> KC_CONTEXT=auth
>
> # Request Tokens for credentials
> KC_RESPONSE=$( \
> curl -k -v -X POST \
> -H "Content-Type: application/x-www-form-urlencoded" \
> -d "username=$KC_USERNAME" \
> -d "password=$KC_PASSWORD" \
> -d 'grant_type=password' \
> -d "client_id=$KC_CLIENT" \
> -d "client_secret=$KC_CLIENT_SECRET" \
> "http://$KC_SERVER/$KC_CONTEXT/realms/$REALM/protocol/openid-connect/token"
> \
> | jq .
> )
>
> KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
> KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)
> KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token)
>
> # Show all keycloak env variables
> set | grep KC_*
>
> # Introspect Keycloak Request Token
> curl -k -v \
> -X POST \
> -u "$KC_CLIENT:$KC_CLIENT_SECRET" \
> -d "token=$KC_ACCESS_TOKEN" \
> "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token/introspect"
> | jq .
>
> gives me:
>
> {
> "jti": "xxxx",
> "exp": 1461170489,
> "nbf": 0,
> "iat": 1461170189,
> "iss": "http://xxxxx/auth/realms/eurodata-test",
> "aud": "test-client",
> "sub": "xxxxx",
> "typ": "Bearer",
> "azp": "test-client",
> "session_state": "xxxx",
> "name": "Theo Tester",
> "given_name": "Theo",
> "family_name": "Tester",
> "preferred_username": "xxx",
> "email": "tester at localhost",
> "client_session": "xxxx",
> "allowed-origins": [],
> "resource_access": {
> "account": {
> "roles": [
> "manage-account",
> "view-profile"
> ]
> }
> },
> "client_id": "test-client",
> "username": "xxx",
> "active": true
> }
>
> HTH
>
> Cheers,
> Thomas
>
> 2016-04-20 17:39 GMT+02:00 Brian Watson <watson409 at gmail.com>:
>
>> Thank you all for the quick responses. However, I am having an issue with
>> that endpoint, and am assuming I am doing something wrong :)
>>
>> I am making the request with a Bearer authorization header containing the
>> token of a client that has the admin role in it's service account. I am
>> testing that the client token is valid via the following curl call:
>>
>> curl -s -X GET -H "Authorization: Bearer $_CLIENT_TOKEN" '
>> http://localhost-docker:8080/auth/admin/realms/master/users'
>>
>> However, when I make the following curl request for token introspection:
>>
>> curl -v -X POST -H "Authorization: Bearer $_CLIENT_TOKEN" --data
>> "token=$_INTROSPECT_TOKEN" \
>> '
>> http://localhost-docker:8080/auth/realms/master/protocol/openid-connect/token/introspect
>> '
>>
>> ... I get the following response:
>>
>> > HTTP/1.1 401 Unauthorized
>> > Connection: keep-alive
>> > X-Powered-By: Undertow/1
>> > Server: WildFly/10
>> > Content-Type: application/json
>> > Content-Length: 72
>> > Date: Wed, 20 Apr 2016 15:33:57 GMT
>> >
>> > {"error_description":"Authentication failed.","error":"invalid_request"}
>>
>> ... and the following console error output:
>>
>> > 2016-04-20 15:21:45,787 ERROR [org.keycloak.services] (default task-13)
>> KC-SERVICES0014: Failed client authentication:
>> org.keycloak.authentication.AuthenticationFlowException: Client was not
>> identified by any client authenticator
>> > at
>> org.keycloak.authentication.ClientAuthenticationFlow.processFlow(ClientAuthenticationFlow.java:101)
>> > at
>> org.keycloak.authentication.AuthenticationProcessor.authenticateClient(AuthenticationProcessor.java:673)
>> > at
>> org.keycloak.protocol.oidc.utils.AuthorizeClientUtil.authorizeClient(AuthorizeClientUtil.java:42)
>> > ...
>> > 2016-04-20 15:21:45,791 WARN [org.keycloak.events] (default task-13)
>> type=INTROSPECT_TOKEN_ERROR, realmId=master, clientId=null, userId=null,
>> ipAddress=192.168.99.1, error=invalid_client_credentials
>> > 2016-04-20 15:21:45,792 WARN [org.keycloak.events] (default task-13)
>> type=INTROSPECT_TOKEN_ERROR, realmId=master, clientId=null, userId=null,
>> ipAddress=192.168.99.1, error=invalid_request, detail='Authentication
>> failed.'
>>
>> Is there another method I should be using to authenticate the client for
>> this request? Is there something else that you see that I am doing wrong?
>>
>>
>> On Wed, Apr 20, 2016 at 10:13 AM, Thomas Darimont <
>> thomas.darimont at googlemail.com> wrote:
>>
>>> :)
>>>
>>> 2016-04-20 16:07 GMT+02:00 Juraci Paixão Kröhling <juraci at kroehling.de>:
>>>
>>>> On 20.04.2016 15:53, Brian Watson wrote:
>>>> > Is there an endpoint I can call with a token that will tell me if the
>>>> > token is still valid? Is there another way I should be performing this
>>>> > check?
>>>>
>>>> Make a POST sending "token" as request parameter to
>>>> /realms/{realm}/protocols/openid-connect/token/introspect
>>>>
>>>> - Juca.
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160420/bd05c111/attachment.html
More information about the keycloak-user
mailing list