Re: [keycloak-user] Use refresh token for authentication

On 16/09/15 12:25, Sebastian Olscher wrote: > > Hello guys, > > we ´re using the „Direct Grant Access” flow described in chapter 15 > in the keycloak users documentation. As we understood, the following > steps are necessary: > > 1.: Do the token request with “username/password” and > “grant_type=password” to the token server (keycloak). > > 2.: The token response from keycloak contains an “access_token” and a > “refresh_token”. > > 3.: Normally, the client uses the “access_token” within the > HTTP-Header (Authorization Bearer **access_token**) to do the > authentication. > > Everything works as expected. We have found that you can also use the > “refresh_token” instead of the “access_token” in step 3 to do the > authentication and it will be still successful. From our point of > view, this is possible, because the keycloak-wildfly-security-module > does not check the token-type. But, from our understanding the > “refresh_token” is not intended to do the authentication, so this > should not work, right? So my two questions are: > > 1.: Why is the authentication with the “refresh_token” successful? > Looks like a bug. Could you please create JIRA ? Ideally we can fill "type" field for AccessToken as "ACCESS" and then in RSATokenVerifier allow just type "ACCESS" . Refresh token has type "REFRESH" so it won't be allowed anymore, similarly offline token, which I am adding right now.

> > 2.: The “refresh_token” in the token response is defined as an > optional element within the OAUth-2.0 specification, so is there any > possibility to prevent keycloak returning it? > Right now, we always return it. But when JIRA is fixed, it's not a problem as refresh token can't be used for authentication anymore, just for the refresh. Marek > > Thanks, > > Sebastian > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user