[keycloak-user] OAuth2 token introspection requires an active session?

Tue May 2 06:34:21 EDT 2017

This looks like a bug. Could you please create JIRA with the info you 
mentioned here? Please also link your new JIRA with 
https://issues.jboss.org/browse/KEYCLOAK-4521, which is quite similar issue.

Marek

On 28/04/17 09:51, Iván Perdomo wrote:
> Hi all,
>
> We're trying to use offline access [1] to retrieve access_tokens on
> behalf of the user and access a protected resource in a long running
> process.
>
> This protected resource checks the validity of the access_token using
> the OAuth2 token introspection.
>
> In our tests we found that the introspection flag "active" true|false
> depends on having an active session in the server. Which seems to defeat
> the purpose of the offline access capabilities.
>
> I have tested with versions 2.5.5.Final and 3.0.0.Final and the behavior
> is the same.
>
> * Get an offline token via direct grants
> * Get an access_token using the offline_token
> * We have an active session
> * Use the token introspection for the access_token and get the expected
> result: active=true
> * Wait for SSO Idle timeout (so the session expires)
> * Get a new access_token using the "stored" offline_token
> * Use the token introspection with the new access_token. Keycloak
> returns active=false because we don't have a session. But the
> access_token is valid, and not expired.
>
> The following code repository has an isolated test case of this scenario:
>
> https://github.com/iperdomo/keycloak-oauth2-instrospection
>
> The described steps are in this script:
>
> https://github.com/iperdomo/keycloak-oauth2-instrospection/blob/master/test.sh
>
> I tried to look for logged issues regarding token introspection and
> didn't found anything related to this problem.
>
> Is this a bug or an expected behavior?
>
> [1]
> https://keycloak.gitbooks.io/documentation/server_admin/topics/sessions/offline.html
>
> Thanks for your support.
>