On 16/09/15 16:32, Marek Posolda wrote:
On 16/09/15 12:25, Sebastian Olscher wrote:
>
> Hello guys,
>
> we ´re using the „Direct Grant Access” flow described in chapter 15
> in the keycloak users documentation. As we understood, the following
> steps are necessary:
>
> 1.: Do the token request with “username/password” and
> “grant_type=password” to the token server (keycloak).
>
> 2.: The token response from keycloak contains an “access_token” and a
> “refresh_token”.
>
> 3.: Normally, the client uses the “access_token” within the
> HTTP-Header (Authorization Bearer **access_token**) to do the
> authentication.
>
> Everything works as expected. We have found that you can also use the
> “refresh_token” instead of the “access_token” in step 3 to do the
> authentication and it will be still successful. From our point of
> view, this is possible, because the keycloak-wildfly-security-module
> does not check the token-type. But, from our understanding the
> “refresh_token” is not intended to do the authentication, so this
> should not work, right? So my two questions are:
>
> 1.: Why is the authentication with the “refresh_token” successful?
>
Looks like a bug. Could you please create JIRA ? Ideally we can fill
"type" field for AccessToken as "ACCESS" and then in RSATokenVerifier
allow just type "ACCESS" . Refresh token has type "REFRESH" so it
won't be allowed anymore, similarly offline token, which I am adding
right now.
Maybe even better type for access tokens should be "Bearer" .
Marek
>
> 2.: The “refresh_token” in the token response is defined as an
> optional element within the OAUth-2.0 specification, so is there any
> possibility to prevent keycloak returning it?
>
Right now, we always return it. But when JIRA is fixed, it's not a
problem as refresh token can't be used for authentication anymore,
just for the refresh.
Marek
>
> Thanks,
>
> Sebastian
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user