12:48 p.m.
It works because our bearer tokens are JWS signed JWTs whose signature
and issuer are validated by the adapter itself using the realm's public key.
On 8/8/17 11:10 AM, Simon Payne wrote:
yes correct.
there is a definite change in behavior with the addition of the
keycloak.policy-enforcer-config.online-introspection=true flag, as without
this single line in my property file it works correctly as a bearer only
resource server. Addition of this line results in the incorrect call to
token exchange endpoint.
thanks
On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke <bburke(a)redhat.com> wrote:
> Doesn't look like the switch is hooked up to anything. As it is, it
> looks like this switch was added for RPT validation, not access token
> validation, and not ever implemented. You just want the adapter to
> validate the access token with the auth server for bearer token
> requests, right?
>
>
> On 8/8/17 9:29 AM, Bill Burke wrote:
>> I'm looking at the code on server and I dont' see that it requires any
>> special switch to use it. The endpoint is:
>>
>> @Post
>>
>> /auth/realms/{realm}/protocol/openid-connect/token/introspect
>>
>> Takes form params.
>>
>> token
>>
>> token_type_hint (optional and defaults to "access_token")
>>
>>
>>
>>
>>
>> On 8/8/17 4:31 AM, Simon Payne wrote:
>>> after some debugging i figured that
>>> keycloak.policy-enforcer-config.online-introspection=true switched on
> this
>>> functionality, however it appears to error on a 400 after making a call
> to
>>> the /auth/realms/master/protocol/openid-connect/token endpoint.
>>>
>>> I'm assuming this is a bug?
>>>
>>> Thanks
>>>
>>>
>>>
>>> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne <simonpayne58(a)gmail.com>
> wrote:
>>>> Hi All,
>>>>
>>>> I'm evaluating keycloak and i'm currently looking at token
> introspection.
>>>> I've managed to achieve this manually, i.e. by sending a post via
> postman,
>>>> but i'm unable to figure out whether this can be achieved via the
> keycloak
>>>> adapters, specifically spring boot.
>>>>
>>>> any help in this area would be appreciated.
>>>>
>>>> thanks
>>>>
>>>> Simon.
>>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user