[keycloak-user] token introspection

Pedro Igor Silva psilva at redhat.com
Tue Aug 8 15:57:22 EDT 2017


This property is a zombie though, it should not impact anything given that
there is no logic in the adapter to introspect the token using the
introspection endpoint. I'm going to remove this property in any case ...

I did a simple test using our Spring Boot Quickstart [1] and setting this
property does cause any issue.

[1]
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-springboot

On Tue, Aug 8, 2017 at 12:10 PM, Simon Payne <simonpayne58 at gmail.com> wrote:

> yes correct.
>
> there is a definite change in behavior with the addition of the
> keycloak.policy-enforcer-config.online-introspection=true  flag, as
> without
> this single line in my property file it works correctly as a bearer only
> resource server.  Addition of this line results in the incorrect call to
> token exchange endpoint.
>
> thanks
>
>
> On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke <bburke at redhat.com> wrote:
>
> > Doesn't look like the switch is hooked up to anything.  As it is, it
> > looks like this switch was added for RPT validation, not access token
> > validation, and not ever implemented.  You just want the adapter to
> > validate the access token with the auth server for bearer token
> > requests, right?
> >
> >
> > On 8/8/17 9:29 AM, Bill Burke wrote:
> > > I'm looking at the code on server and I dont' see that it requires any
> > > special switch to use it.  The endpoint is:
> > >
> > > @Post
> > >
> > > /auth/realms/{realm}/protocol/openid-connect/token/introspect
> > >
> > > Takes form params.
> > >
> > > token
> > >
> > > token_type_hint (optional and defaults to "access_token")
> > >
> > >
> > >
> > >
> > >
> > > On 8/8/17 4:31 AM, Simon Payne wrote:
> > >> after some debugging i figured that
> > >> keycloak.policy-enforcer-config.online-introspection=true switched on
> > this
> > >> functionality, however it appears to error on a 400 after making a
> call
> > to
> > >> the /auth/realms/master/protocol/openid-connect/token endpoint.
> > >>
> > >> I'm assuming this is a bug?
> > >>
> > >> Thanks
> > >>
> > >>
> > >>
> > >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne <simonpayne58 at gmail.com>
> > wrote:
> > >>
> > >>> Hi All,
> > >>>
> > >>> I'm evaluating keycloak and i'm currently looking at token
> > introspection.
> > >>>
> > >>> I've managed to achieve this manually, i.e. by sending a post via
> > postman,
> > >>> but i'm unable to figure out whether this can be achieved via the
> > keycloak
> > >>> adapters, specifically spring boot.
> > >>>
> > >>> any help in this area would be appreciated.
> > >>>
> > >>> thanks
> > >>>
> > >>> Simon.
> > >>>
> > >> _______________________________________________
> > >> keycloak-user mailing list
> > >> keycloak-user at lists.jboss.org
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list