11:38 a.m.
Hello,
after having looked at the tests:
https://github.com/keycloak/keycloak/blob/d9f82affb0ca36b066b2b1396e953ae...
... I think you need to use basic authentication with client credentials
for the token introspection endpoint.
here is a small example (bash with jq (json query required)
KC_REALM=your-realm
KC_USERNAME=a-realm-user
KC_PASSWORD=a-realm-user-password
KC_CLIENT=a-test-client
KC_CLIENT_SECRET=a-test-client-credental
KC_SERVER=192.168.99.100:8080
KC_CONTEXT=auth
# Request Tokens for credentials
KC_RESPONSE=$( \
curl -k -v -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=$KC_USERNAME" \
-d "password=$KC_PASSWORD" \
-d 'grant_type=password' \
-d "client_id=$KC_CLIENT" \
-d "client_secret=$KC_CLIENT_SECRET" \
"http://$KC_SERVER/$KC_CONTEXT/realms/$REALM/protocol/openid-connect/token"
\
| jq .
)
KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)
KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token)
# Show all keycloak env variables
set | grep KC_*
# Introspect Keycloak Request Token
curl -k -v \
-X POST \
-u "$KC_CLIENT:$KC_CLIENT_SECRET" \
-d "token=$KC_ACCESS_TOKEN" \
"http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token/introspect"
| jq .
gives me:
{
"jti": "xxxx",
"exp": 1461170489,
"nbf": 0,
"iat": 1461170189,
"iss": "http://xxxxx/auth/realms/eurodata-test",
"aud": "test-client",
"sub": "xxxxx",
"typ": "Bearer",
"azp": "test-client",
"session_state": "xxxx",
"name": "Theo Tester",
"given_name": "Theo",
"family_name": "Tester",
"preferred_username": "xxx",
"email": "tester@localhost",
"client_session": "xxxx",
"allowed-origins": [],
"resource_access": {
"account": {
"roles": [
"manage-account",
"view-profile"
]
}
},
"client_id": "test-client",
"username": "xxx",
"active": true
}
HTH
Cheers,
Thomas
2016-04-20 17:39 GMT+02:00 Brian Watson <watson409(a)gmail.com>:
Thank you all for the quick responses. However, I am having an issue
with
that endpoint, and am assuming I am doing something wrong :)
I am making the request with a Bearer authorization header containing the
token of a client that has the admin role in it's service account. I am
testing that the client token is valid via the following curl call:
curl -s -X GET -H "Authorization: Bearer $_CLIENT_TOKEN" '
http://localhost-docker:8080/auth/admin/realms/master/users'
However, when I make the following curl request for token introspection:
curl -v -X POST -H "Authorization: Bearer $_CLIENT_TOKEN" --data
"token=$_INTROSPECT_TOKEN" \
'
http://localhost-docker:8080/auth/realms/master/protocol/openid-connect/t...
'
... I get the following response:
> HTTP/1.1 401 Unauthorized
> Connection: keep-alive
> X-Powered-By: Undertow/1
> Server: WildFly/10
> Content-Type: application/json
> Content-Length: 72
> Date: Wed, 20 Apr 2016 15:33:57 GMT
>
> {"error_description":"Authentication
failed.","error":"invalid_request"}
... and the following console error output:
> 2016-04-20 15:21:45,787 ERROR [org.keycloak.services] (default task-13)
KC-SERVICES0014: Failed client authentication:
org.keycloak.authentication.AuthenticationFlowException: Client was not
identified by any client authenticator
> at
org.keycloak.authentication.ClientAuthenticationFlow.processFlow(ClientAuthenticationFlow.java:101)
> at
org.keycloak.authentication.AuthenticationProcessor.authenticateClient(AuthenticationProcessor.java:673)
> at
org.keycloak.protocol.oidc.utils.AuthorizeClientUtil.authorizeClient(AuthorizeClientUtil.java:42)
> ...
> 2016-04-20 15:21:45,791 WARN [org.keycloak.events] (default task-13)
type=INTROSPECT_TOKEN_ERROR, realmId=master, clientId=null, userId=null,
ipAddress=192.168.99.1, error=invalid_client_credentials
> 2016-04-20 15:21:45,792 WARN [org.keycloak.events] (default task-13)
type=INTROSPECT_TOKEN_ERROR, realmId=master, clientId=null, userId=null,
ipAddress=192.168.99.1, error=invalid_request, detail='Authentication
failed.'
Is there another method I should be using to authenticate the client for
this request? Is there something else that you see that I am doing wrong?
On Wed, Apr 20, 2016 at 10:13 AM, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
> :)
>
> 2016-04-20 16:07 GMT+02:00 Juraci Paixão Kröhling <juraci(a)kroehling.de>:
>
>> On 20.04.2016 15:53, Brian Watson wrote:
>> > Is there an endpoint I can call with a token that will tell me if the
>> > token is still valid? Is there another way I should be performing this
>> > check?
>>
>> Make a POST sending "token" as request parameter to
>> /realms/{realm}/protocols/openid-connect/token/introspect
>>
>> - Juca.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>