Confirmed! Thank you all so much for the help!

On Wed, Apr 20, 2016 at 12:38 PM, Thomas Darimont <thomas.darimont@googlemail.com> wrote:
Hello,

after having looked at the tests: https://github.com/keycloak/keycloak/blob/d9f82affb0ca36b066b2b1396e953ae126c349e0/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java#L228

... I think you need to use basic authentication with client credentials for the token introspection endpoint.

here is a small example (bash with jq (json query required)

KC_REALM=your-realm
KC_USERNAME=a-realm-user
KC_PASSWORD=a-realm-user-password
KC_CLIENT=a-test-client
KC_CLIENT_SECRET=a-test-client-credental
KC_CONTEXT=auth

# Request Tokens for credentials
KC_RESPONSE=$( \ 
   curl -k -v -X POST \
        -H "Content-Type: application/x-www-form-urlencoded" \
        -d "username=$KC_USERNAME" \
        -d "password=$KC_PASSWORD" \
        -d 'grant_type=password' \
        -d "client_id=$KC_CLIENT" \
        -d "client_secret=$KC_CLIENT_SECRET" \
        "http://$KC_SERVER/$KC_CONTEXT/realms/$REALM/protocol/openid-connect/token" \
    | jq . 
)

KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)
KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token)

# Show all keycloak env variables
set | grep KC_*

# Introspect Keycloak Request Token
curl -k -v \
     -X POST \
     -u "$KC_CLIENT:$KC_CLIENT_SECRET" \
     -d "token=$KC_ACCESS_TOKEN" \
   "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token/introspect" | jq . 

gives me:

{
  "jti": "xxxx",
  "exp": 1461170489,
  "nbf": 0,
  "iat": 1461170189,
  "aud": "test-client",
  "sub": "xxxxx",
  "typ": "Bearer",
  "azp": "test-client",
  "session_state": "xxxx",
  "name": "Theo Tester",
  "given_name": "Theo",
  "family_name": "Tester",
  "preferred_username": "xxx",
  "email": "tester@localhost",
  "client_session": "xxxx",
  "allowed-origins": [],
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "view-profile"
      ]
    }
  },
  "client_id": "test-client",
  "username": "xxx",
  "active": true
}

HTH

Cheers,
Thomas

2016-04-20 17:39 GMT+02:00 Brian Watson <watson409@gmail.com>:
Thank you all for the quick responses. However, I am having an issue with that endpoint, and am assuming I am doing something wrong :)

I am making the request with a Bearer authorization header containing the token of a client that has the admin role in it's service account. I am testing that the client token is valid via the following curl call:

curl -s -X GET -H "Authorization: Bearer $_CLIENT_TOKEN" 'http://localhost-docker:8080/auth/admin/realms/master/users'

However, when I make the following curl request for token introspection:

curl -v -X POST -H "Authorization: Bearer $_CLIENT_TOKEN" --data "token=$_INTROSPECT_TOKEN" \
   'http://localhost-docker:8080/auth/realms/master/protocol/openid-connect/token/introspect'

... I get the following response:

> HTTP/1.1 401 Unauthorized
> Connection: keep-alive
> X-Powered-By: Undertow/1
> Server: WildFly/10
> Content-Type: application/json
> Content-Length: 72
> Date: Wed, 20 Apr 2016 15:33:57 GMT
> {"error_description":"Authentication failed.","error":"invalid_request"}

... and the following console error output:

> 2016-04-20 15:21:45,787 ERROR [org.keycloak.services] (default task-13) KC-SERVICES0014: Failed client authentication: org.keycloak.authentication.AuthenticationFlowException: Client was not identified by any client authenticator
>    at org.keycloak.authentication.ClientAuthenticationFlow.processFlow(ClientAuthenticationFlow.java:101)
>    at org.keycloak.authentication.AuthenticationProcessor.authenticateClient(AuthenticationProcessor.java:673)
>    at org.keycloak.protocol.oidc.utils.AuthorizeClientUtil.authorizeClient(AuthorizeClientUtil.java:42)
>        ...
> 2016-04-20 15:21:45,791 WARN  [org.keycloak.events] (default task-13) type=INTROSPECT_TOKEN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=192.168.99.1, error=invalid_client_credentials
> 2016-04-20 15:21:45,792 WARN  [org.keycloak.events] (default task-13) type=INTROSPECT_TOKEN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=192.168.99.1, error=invalid_request, detail='Authentication failed.'

Is there another method I should be using to authenticate the client for this request? Is there something else that you see that I am doing wrong?


On Wed, Apr 20, 2016 at 10:13 AM, Thomas Darimont <thomas.darimont@googlemail.com> wrote:
:)

2016-04-20 16:07 GMT+02:00 Juraci Paixão Kröhling <juraci@kroehling.de>:
On 20.04.2016 15:53, Brian Watson wrote:
> Is there an endpoint I can call with a token that will tell me if the
> token is still valid? Is there another way I should be performing this
> check?

Make a POST sending "token" as request parameter to
/realms/{realm}/protocols/openid-connect/token/introspect

- Juca.
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user