10:30 a.m.
Hi there,
I am trying to configure a server side (RP) client which requires a JWT
introspection URL on the OP. I tried to find such endpoint on the KeyCloak
server without avail neither did I actually find any url of type
"introspect" in the OpenID Connect Specification.
Does anyone know if/how a OAuth2 client can validate a JWT token via a back
channel with the KeyCloak server?
The client I am trying to configure is the MITREid client as per
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki...
Looking at the code, the client will issue a post to the introspection
endpoint with some form data:
POST /auth/realms/myrealm/protocol/openid-connect/introspect HTTP/1.1
Host: localhost:8080
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
client_id=myapp&client_secret=mysupersecret&token=eyJhbGciO[trunkated but
valid access token]
Any pointers are much appreciated.
Kind Regards,
Niels
2:40 a.m.
New subject: keycloak 1.3.1 OpenID Connect token introspection url
Keycloak has an endpoint to verify token. URL is:
/auth/realms/<realm>/protocol/openid-connect/validate
It takes a single query_param 'access_token'. If token is valid the response will
be the token as json document, otherwise it'll return an error.
----- Original Message -----
From: "Niels Bertram" <nielsbne(a)gmail.com>
To: keycloak-user(a)lists.jboss.org
Sent: Monday, 29 June, 2015 5:30:51 PM
Subject: [keycloak-user] keycloak 1.3.1 OpenID Connect token introspection url
Hi there,
I am trying to configure a server side (RP) client which requires a JWT
introspection URL on the OP. I tried to find such endpoint on the KeyCloak
server without avail neither did I actually find any url of type
"introspect" in the OpenID Connect Specification.
Does anyone know if/how a OAuth2 client can validate a JWT token via a back
channel with the KeyCloak server?
The client I am trying to configure is the MITREid client as per
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki...
Looking at the code, the client will issue a post to the introspection
endpoint with some form data:
POST /auth/realms/myrealm/protocol/openid-connect/introspect HTTP/1.1
Host: localhost:8080
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
client_id=myapp&client_secret=mysupersecret&token=eyJhbGciO[trunkated but
valid access token]
Any pointers are much appreciated.
Kind Regards,
Niels
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:19 p.m.
Thanks Stian, got it to work.
Strangely enough this validation endpoint is not returned in the keycloak
response on /auth/realms/[realm]/.well-known/openid-configuration . Also I
tried to find any standard reference in the OpenID Connect 1.0
specification and there is no mentioning of this mechanism. So I assume its
not a standard OpenID method right?
Kind Regards,
Niels
On Thu, Jul 2, 2015 at 5:40 PM, Stian Thorgersen <stian(a)redhat.com> wrote:
Keycloak has an endpoint to verify token. URL is:
/auth/realms/<realm>/protocol/openid-connect/validate
It takes a single query_param 'access_token'. If token is valid the
response will be the token as json document, otherwise it'll return an
error.
----- Original Message -----
> From: "Niels Bertram" <nielsbne(a)gmail.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Monday, 29 June, 2015 5:30:51 PM
> Subject: [keycloak-user] keycloak 1.3.1 OpenID Connect token
introspection url
>
> Hi there,
>
> I am trying to configure a server side (RP) client which requires a JWT
> introspection URL on the OP. I tried to find such endpoint on the
KeyCloak
> server without avail neither did I actually find any url of type
> "introspect" in the OpenID Connect Specification.
>
> Does anyone know if/how a OAuth2 client can validate a JWT token via a
back
> channel with the KeyCloak server?
>
> The client I am trying to configure is the MITREid client as per
>
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki...
>
> Looking at the code, the client will issue a post to the introspection
> endpoint with some form data:
>
> POST /auth/realms/myrealm/protocol/openid-connect/introspect HTTP/1.1
> Host: localhost:8080
> Cache-Control: no-cache
> Content-Type: application/x-www-form-urlencoded
>
> client_id=myapp&client_secret=mysupersecret&token=eyJhbGciO[trunkated but
> valid access token]
>
> Any pointers are much appreciated.
>
> Kind Regards,
> Niels
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
1:46 a.m.
----- Original Message -----
From: "Niels Bertram" <nielsbne(a)gmail.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Friday, 3 July, 2015 5:19:27 AM
Subject: Re: [keycloak-user] keycloak 1.3.1 OpenID Connect token introspection url
Thanks Stian, got it to work.
Strangely enough this validation endpoint is not returned in the keycloak
response on /auth/realms/[realm]/.well-known/openid-configuration . Also I
tried to find any standard reference in the OpenID Connect 1.0
specification and there is no mentioning of this mechanism. So I assume its
not a standard OpenID method right?
As far as I know you're right there's no standard endpoint for verifying the
token. Not sure it makes sense for us to add non-standard endpoints to the
openid-configuration endpoint.
It's long overdue, but we do plan to provide some better docs with regards to OpenID
Connect, including the "extensions" we've added.
Kind Regards,
Niels
On Thu, Jul 2, 2015 at 5:40 PM, Stian Thorgersen <stian(a)redhat.com> wrote:
> Keycloak has an endpoint to verify token. URL is:
>
> /auth/realms/<realm>/protocol/openid-connect/validate
>
> It takes a single query_param 'access_token'. If token is valid the
> response will be the token as json document, otherwise it'll return an
> error.
>
> ----- Original Message -----
> > From: "Niels Bertram" <nielsbne(a)gmail.com>
> > To: keycloak-user(a)lists.jboss.org
> > Sent: Monday, 29 June, 2015 5:30:51 PM
> > Subject: [keycloak-user] keycloak 1.3.1 OpenID Connect token
> introspection url
> >
> > Hi there,
> >
> > I am trying to configure a server side (RP) client which requires a JWT
> > introspection URL on the OP. I tried to find such endpoint on the
> KeyCloak
> > server without avail neither did I actually find any url of type
> > "introspect" in the OpenID Connect Specification.
> >
> > Does anyone know if/how a OAuth2 client can validate a JWT token via a
> back
> > channel with the KeyCloak server?
> >
> > The client I am trying to configure is the MITREid client as per
> >
>
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki...
> >
> > Looking at the code, the client will issue a post to the introspection
> > endpoint with some form data:
> >
> > POST /auth/realms/myrealm/protocol/openid-connect/introspect HTTP/1.1
> > Host: localhost:8080
> > Cache-Control: no-cache
> > Content-Type: application/x-www-form-urlencoded
> >
> > client_id=myapp&client_secret=mysupersecret&token=eyJhbGciO[trunkated
but
> > valid access token]
> >
> > Any pointers are much appreciated.
> >
> > Kind Regards,
> > Niels
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
3449
days inactive
3453
days old
3 comments
2 participants
participants (2)
-
Niels Bertram -
Stian Thorgersen