[keycloak-user] Keycloak OpenIDConnect bearer token problem
NAPPERT Olivier
olivier.nappert at thalesgroup.com
Fri Jul 21 11:39:38 EDT 2017
I searched more and found the RFC that specifies the OAuth2 specifications for Token_type, it should be case insensitive as specified here https://tools.ietf.org/html/rfc6749#section-4.2.2 :
"token_type
REQUIRED. The type of the token issued as described in
Section 7.1<https://tools.ietf.org/html/rfc6749#section-7.1>. Value is case insensitive."
But in LemonLDAP::NG, the file that verifies if the token is valid isn't compliant with this because of the following line in /usr/share/perl5/Lemonldap/NG/Portal/_OpenIDConnect.pm:465 :
"unless ( $json->{token_type} eq "Bearer" ) {"
So in fact it wasn't a problem on Keycloak's side, but LL::NG.
Best regards,
Olivier Nappert
De : NAPPERT Olivier
Envoyé : vendredi 21 juillet 2017 16:38
À : 'keycloak-user at lists.jboss.org'
Objet : Keycloak OpenIDConnect bearer token problem
Hello,
I am trying to use Keycloak v3.2 standalone (Final) as an OpenID Connect Identity Provider, with an instance of LemonLDAP::NG working as my OIDC Relying Party. The latter is already configured and works well with multiple OIDC Identity Providers, like Google or other LL::NG instances.
When accessing the Keycloak token endpoint, the authentication fails with the following message :
Token type is bearer but must be Bearer
[perl:debug] CGI.pm(114): /usr/share/perl5/Lemonldap/NG/Portal/AuthOpenIDConnect.pm 133:
[perl:error] Token response is not valid
Do you know how to change the token type sent in the Keycloak configuration please ? From my understanding the OpenID Connect standard states that the Token type MUST be Bearer, so I suspect that I'm not the first who's had this problem.
Best regards,
Olivier NAPPERT
More information about the keycloak-user
mailing list