<div dir="ltr">BTW access tokens have a short lifespan by default only 1 minute so should be more than sufficient to just check the signature of the token.</div><div class="gmail_extra"><br><div class="gmail_quote">On 20 April 2016 at 18:50, Brian Watson <span dir="ltr"><<a href="mailto:watson409@gmail.com" target="_blank">watson409@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Confirmed! Thank you all so much for the help!</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Apr 20, 2016 at 12:38 PM, Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div><br></div><div>after having looked at the tests: <a href="https://github.com/keycloak/keycloak/blob/d9f82affb0ca36b066b2b1396e953ae126c349e0/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java#L228" target="_blank">https://github.com/keycloak/keycloak/blob/d9f82affb0ca36b066b2b1396e953ae126c349e0/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java#L228</a></div><div><br></div><div>... I think you need to use basic authentication with client credentials for the token introspection endpoint.</div><div><br></div><div>here is a small example (bash with jq (json query required)</div><div><br></div><div><div>KC_REALM=your-realm</div><div>KC_USERNAME=a-realm-user</div><div>KC_PASSWORD=a-realm-user-password</div><div>KC_CLIENT=a-test-client</div><div>KC_CLIENT_SECRET=a-test-client-credental</div><div>KC_SERVER=<a href="http://192.168.99.100:8080" target="_blank">192.168.99.100:8080</a></div><div>KC_CONTEXT=auth</div><div><br></div><div># Request Tokens for credentials</div><div>KC_RESPONSE=$( \ </div><div> curl -k -v -X POST \</div><div> -H "Content-Type: application/x-www-form-urlencoded" \</div><div> -d "username=$KC_USERNAME" \</div><div> -d "password=$KC_PASSWORD" \</div><div> -d 'grant_type=password' \</div><div> -d "client_id=$KC_CLIENT" \</div><div> -d "client_secret=$KC_CLIENT_SECRET" \</div><div> "http://$KC_SERVER/$KC_CONTEXT/realms/$REALM/protocol/openid-connect/token" \</div><div> | jq . </div><div>)</div><div><br></div><div>KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)</div><div>KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)</div><div>KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token)</div><div><br></div><div># Show all keycloak env variables</div><div>set | grep KC_*</div><div><br></div><div># Introspect Keycloak Request Token</div><div>curl -k -v \</div><div> -X POST \</div><div> -u "$KC_CLIENT:$KC_CLIENT_SECRET" \</div><div> -d "token=$KC_ACCESS_TOKEN" \</div><div> "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token/introspect" | jq . </div></div><div><br></div><div>gives me:</div><div><br></div><div><div>{</div><div> "jti": "xxxx",</div><div> "exp": 1461170489,</div><div> "nbf": 0,</div><div> "iat": 1461170189,</div><div> "iss": "<a href="http://xxxxx/auth/realms/eurodata-test" target="_blank">http://xxxxx/auth/realms/eurodata-test</a>",</div><div> "aud": "test-client",</div><div> "sub": "xxxxx",</div><div> "typ": "Bearer",</div><div> "azp": "test-client",</div><div> "session_state": "xxxx",</div><div> "name": "Theo Tester",</div><div> "given_name": "Theo",</div><div> "family_name": "Tester",</div><div> "preferred_username": "xxx",</div><div> "email": "tester@localhost",</div><div> "client_session": "xxxx",</div><div> "allowed-origins": [],</div><div> "resource_access": {</div><div> "account": {</div><div> "roles": [</div><div> "manage-account",</div><div> "view-profile"</div><div> ]</div><div> }</div><div> },</div><div> "client_id": "test-client",</div><div> "username": "xxx",</div><div> "active": true</div><div>}</div></div><div><br></div><div>HTH</div><div><br></div><div>Cheers,</div><div>Thomas</div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">2016-04-20 17:39 GMT+02:00 Brian Watson <span dir="ltr"><<a href="mailto:watson409@gmail.com" target="_blank">watson409@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thank you all for the quick responses. However, I am having an issue with that endpoint, and am assuming I am doing something wrong :)<br><br><div><div>I am making the request with a Bearer authorization header containing the token of a client that has the admin role in it's service account. I am testing that the client token is valid via the following curl call:<br><br>curl -s -X GET -H "Authorization: Bearer $_CLIENT_TOKEN" '<a href="http://localhost-docker:8080/auth/admin/realms/master/users" target="_blank">http://localhost-docker:8080/auth/admin/realms/master/users</a>'<br><br>However, when I make the following curl request for token introspection:<br><br>curl -v -X POST -H "Authorization: Bearer $_CLIENT_TOKEN" --data "token=$_INTROSPECT_TOKEN" \<br> '<a href="http://localhost-docker:8080/auth/realms/master/protocol/openid-connect/token/introspect" target="_blank">http://localhost-docker:8080/auth/realms/master/protocol/openid-connect/token/introspect</a>'<br><br>... I get the following response:<br><br>> HTTP/1.1 401 Unauthorized<br>> Connection: keep-alive<br>> X-Powered-By: Undertow/1<br>> Server: WildFly/10<br>> Content-Type: application/json<br>> Content-Length: 72<br>> Date: Wed, 20 Apr 2016 15:33:57 GMT<br>> </div><div>> {"error_description":"Authentication failed.","error":"invalid_request"}<br><br>... and the following console error output:<br><br>> 2016-04-20 15:21:45,787 ERROR [org.keycloak.services] (default task-13) KC-SERVICES0014: Failed client authentication: org.keycloak.authentication.AuthenticationFlowException: Client was not identified by any client authenticator</div><div><div>> at org.keycloak.authentication.ClientAuthenticationFlow.processFlow(ClientAuthenticationFlow.java:101)<br>> at org.keycloak.authentication.AuthenticationProcessor.authenticateClient(AuthenticationProcessor.java:673)<br>> at org.keycloak.protocol.oidc.utils.AuthorizeClientUtil.authorizeClient(AuthorizeClientUtil.java:42)<br>> ...<br>> 2016-04-20 15:21:45,791 WARN [org.keycloak.events] (default task-13) type=INTROSPECT_TOKEN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=192.168.99.1, error=invalid_client_credentials<br>> 2016-04-20 15:21:45,792 WARN [org.keycloak.events] (default task-13) type=INTROSPECT_TOKEN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=192.168.99.1, error=invalid_request, detail='Authentication failed.'<div><div><br></div></div><div>Is there another method I should be using to authenticate the client for this request? Is there something else that you see that I am doing wrong?</div><div><br></div></div></div></div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Apr 20, 2016 at 10:13 AM, Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">:)</div><div><div><div class="gmail_extra"><br><div class="gmail_quote">2016-04-20 16:07 GMT+02:00 Juraci Paixão Kröhling <span dir="ltr"><<a href="mailto:juraci@kroehling.de" target="_blank">juraci@kroehling.de</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 20.04.2016 15:53, Brian Watson wrote:<br>
> Is there an endpoint I can call with a token that will tell me if the<br>
> token is still valid? Is there another way I should be performing this<br>
> check?<br>
<br>
</span>Make a POST sending "token" as request parameter to<br>
/realms/{realm}/protocols/openid-connect/token/introspect<br>
<br>
- Juca.<br>
<div><div>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</div></div></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>