Hi Stian,
Thanks for the response. I got the token_type issue. But when it comes to
scope I am still having questions.
According to the RFC , scope attribute is optional but shouldn't we
interpret as below?
- During the initial handshake if the request doesn't contain scope
parameter then it will become optional in introspection response.
- During the initial OAuth 2.0 handshake if the incoming request
contains scope as query string parameter then it must present in
introspection response with all granted scopes info.
Thanks!
On Fri, Feb 3, 2017 at 12:43 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
1 looks like a bug and it simply has the wrong name.
2 scope is optional and we don't support this at the moment
On 27 January 2017 at 05:52, Jason B <jason(a)naidmincloud.com> wrote:
> Hi,
>
> I am trying to understand the OAuth 2.0 capabilities of Keycloak server
> and
> I have a few questions with respective to the implementation of OAuth
> introspection spec.
>
> This is how a sample introspection response looking like
>
> {
> "jti": "7e0a2c4b-9725-432b-a0fd-594f21686108",
> "exp": 1485492229,
> "nbf": 0,
> "iat": 1485491929,
> "iss": "http://localhost:8080/auth/realms/nkadali",
> "aud": "proxy",
> "sub": "e89175d5-94fd-453a-8abb-9953d59d04cf",
> "typ": "Bearer",
> "azp": "proxy",
> "auth_time": 1485487408,
> "session_state": "c05ea410-6f0a-458d-9b2c-debafba732b7",
> "name": "",
> "preferred_username": "jason",
> "acr": "0",
> "client_session": "5d761332-97eb-404d-8624-3de4eca967cd",
> "allowed-origins": [],
> "realm_access": {
> "roles": [
> "uma_authorization"
> ]
> },
> "resource_access": {
> "account": {
> "roles": [
> "manage-account",
> "view-profile"
> ]
> }
> },
> "client_id": "proxy",
> "username": "jason",
> "active": true
> }
>
>
> I have two question based on this response.
>
> 1. According to the OAuth OAuth 2.0 Token Introspection (
>
https://tools.ietf.org/html/rfc7662) the json response body may
> contain
> "token_type" member. But why keycloak representing
"token_type" as
> "typ"?
> Is there any specific reason?
> 2. I don't see any "scope" attribute in the response body even
though I
> supplied scope parameter while requesting for the access token. Any
> idea on
> how to get scopes associated with the supplied access token?
>
>
> Thanks!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>