[keycloak-user] token introspection

Pedro Igor Silva psilva at redhat.com
Thu Aug 10 07:53:23 EDT 2017 

No, we don't. Like Bill said, you don't really need it. Basically, what we
support is described in docs [1].

[1]
http://www.keycloak.org/docs/3.1/authorization_services/topics/enforcer/keycloak-enforcement-filter.html


On Thu, Aug 10, 2017 at 6:11 AM, Simon Payne <simonpayne58 at gmail.com> wrote:

> do we have token introspection implemented in any of the client adapters
> (other than spring boot)?
>
> thanks
>
>
> On Wed, Aug 9, 2017 at 9:50 AM, Simon Payne <simonpayne58 at gmail.com>
> wrote:
>
> > thanks Pedro,
> >
> > however, i think our use cases are not exactly the same.  it appears your
> > component is set to allow authentication of user where mine is bearer
> only.
> >
> > the only other differences i can see between our projects is that i am
> > running gradle with keycloak 3.2.0 and that i have also added compile(
> > 'org.keycloak:keycloak-authz-client:3.2.0.CR1')
> >
> > Lucian, i don't have a project which i can share at the moment as other
> > code is included, if you would still like to see something i can make a
> > shareable version.
> >
> > Thanks
> >
> >
> > On Tue, Aug 8, 2017 at 8:57 PM, Pedro Igor Silva <psilva at redhat.com>
> > wrote:
> >
> >> Hey Lucian, we have this https://github.com/keycloak/ke
> >> ycloak-quickstarts/tree/latest/app-authz-springboot.
> >>
> >> On Tue, Aug 8, 2017 at 1:17 PM, Lucian Ochian <okianl at yahoo.com> wrote:
> >>
> >>> Simon,
> >>> Do you have a demo app with that? I am just curious to see a
> >>> spring(boot) app with authorizations...I remember that I tried
> something
> >>> with authorizations, and the authorization context was null(I know
> there
> >>> are some Jira issues about it), but I still could not get it to work in
> >>> 2.5.5
> >>> AuthorizationContext authzContext =
> >>>         keycloakSecurityContext.getAuthorizationContext();
> >>> Thanks,Lucian
> >>>
> >>> On Tuesday, August 8, 2017, 10:25:35 AM CDT, Simon Payne <
> >>> simonpayne58 at gmail.com> wrote:
> >>>
> >>> yes correct.
> >>>
> >>> there is a definite change in behavior with the addition of the
> >>> keycloak.policy-enforcer-config.online-introspection=true  flag, as
> >>> without
> >>> this single line in my property file it works correctly as a bearer
> only
> >>> resource server.  Addition of this line results in the incorrect call
> to
> >>> token exchange endpoint.
> >>>
> >>> thanks
> >>>
> >>>
> >>> On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke <bburke at redhat.com> wrote:
> >>>
> >>> > Doesn't look like the switch is hooked up to anything.  As it is, it
> >>> > looks like this switch was added for RPT validation, not access token
> >>> > validation, and not ever implemented.  You just want the adapter to
> >>> > validate the access token with the auth server for bearer token
> >>> > requests, right?
> >>> >
> >>> >
> >>> > On 8/8/17 9:29 AM, Bill Burke wrote:
> >>> > > I'm looking at the code on server and I dont' see that it requires
> >>> any
> >>> > > special switch to use it.  The endpoint is:
> >>> > >
> >>> > > @Post
> >>> > >
> >>> > > /auth/realms/{realm}/protocol/openid-connect/token/introspect
> >>> > >
> >>> > > Takes form params.
> >>> > >
> >>> > > token
> >>> > >
> >>> > > token_type_hint (optional and defaults to "access_token")
> >>> > >
> >>> > >
> >>> > >
> >>> > >
> >>> > >
> >>> > > On 8/8/17 4:31 AM, Simon Payne wrote:
> >>> > >> after some debugging i figured that
> >>> > >> keycloak.policy-enforcer-config.online-introspection=true
> switched
> >>> on
> >>> > this
> >>> > >> functionality, however it appears to error on a 400 after making a
> >>> call
> >>> > to
> >>> > >> the /auth/realms/master/protocol/openid-connect/token endpoint.
> >>> > >>
> >>> > >> I'm assuming this is a bug?
> >>> > >>
> >>> > >> Thanks
> >>> > >>
> >>> > >>
> >>> > >>
> >>> > >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne <
> simonpayne58 at gmail.com
> >>> >
> >>> > wrote:
> >>> > >>
> >>> > >>> Hi All,
> >>> > >>>
> >>> > >>> I'm evaluating keycloak and i'm currently looking at token
> >>> > introspection.
> >>> > >>>
> >>> > >>> I've managed to achieve this manually, i.e. by sending a post via
> >>> > postman,
> >>> > >>> but i'm unable to figure out whether this can be achieved via the
> >>> > keycloak
> >>> > >>> adapters, specifically spring boot.
> >>> > >>>
> >>> > >>> any help in this area would be appreciated.
> >>> > >>>
> >>> > >>> thanks
> >>> > >>>
> >>> > >>> Simon.
> >>> > >>>
> >>> > >> _______________________________________________
> >>> > >> keycloak-user mailing list
> >>> > >> keycloak-user at lists.jboss.org
> >>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>> > > _______________________________________________
> >>> > > keycloak-user mailing list
> >>> > > keycloak-user at lists.jboss.org
> >>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>> >
> >>> > _______________________________________________
> >>> > keycloak-user mailing list
> >>> > keycloak-user at lists.jboss.org
> >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>> >
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>
> >>
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list