11:08 a.m.
Hi,
We are using scope=offline_token param to get refresh_token that is valid for long time,
then we do call :
grant_type=refresh_token&client_id=xxxx&scope=offline_access&refresh_token={refresh_token}
to get access_token, and that call returns access_token with status 200. Next step is to
call our custom REST Endpoint using authorization header:
Authorization: bearer {access_token}
But in Keycloak itself, when we try to check if token is valid:
private final AuthenticationManager.AuthResult auth;
public EntitlementResourceProvider(KeycloakSession session, String abosUrl, String
abosUsername, String abosPassword) {
this.session = session;
this.auth = new AppAuthManager().authenticateBearerToken(session,
session.realms().getRealm(Constants.XXXXXXX));
}
this.auth is null, when I was debugging this, I found that Keycloak reports: Token
invalid. How can it be invalid, if it was just issued?
What is even more interesting, this works between first login using credentials and time
configured as SSO Session Idle (so in our case for 30 minutes)
I understand that session is closed after some Idle time, but if we have valid
refresh_token, and we get new access_token, why doesn't it validate? Am I using wrong
method?
Kind Regards,
Mariusz Chruścielewski
software engineer
mariusz@info.nl<mailto:mariusz@info.nl> |
LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski> | +31 (0)20 530
9113<tel:+31205309113%20>
info.nl <http://www.info.nl>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530
9100<tel:+31205309100>
12:10 p.m.
Maybe try:
Authorization: Bearer {access_token}
(uppercase Bearer)
On Apr 4, 2017 18:41, "Mariusz Chruscielewski - Info.nl"
<mariusz(a)info.nl>
wrote:
Hi,
We are using scope=offline_token param to get refresh_token that is valid
for long time, then we do call :
grant_type=refresh_token&client_id=xxxx&scope=offline_
access&refresh_token={refresh_token}
to get access_token, and that call returns access_token with status 200.
Next step is to call our custom REST Endpoint using authorization header:
Authorization: bearer {access_token}
But in Keycloak itself, when we try to check if token is valid:
private final AuthenticationManager.AuthResult auth;
public EntitlementResourceProvider(KeycloakSession session, String abosUrl,
String abosUsername, String abosPassword) {
this.session = session;
this.auth = new AppAuthManager().authenticateBearerToken(session,
session.realms().getRealm(Constants.XXXXXXX));
}
this.auth is null, when I was debugging this, I found that Keycloak
reports: Token invalid. How can it be invalid, if it was just issued?
What is even more interesting, this works between first login using
credentials and time configured as SSO Session Idle (so in our case for 30
minutes)
I understand that session is closed after some Idle time, but if we have
valid refresh_token, and we get new access_token, why doesn't it validate?
Am I using wrong method?
Kind Regards,
Mariusz Chruścielewski
software engineer
mariusz@info.nl<mailto:mariusz@info.nl> | LinkedIn<https://www.linkedin.
com/in/mariusz-chruscielewski> | +31 (0)20 530 9113<tel:+31205309113%20>
info.nl <http://www.info.nl>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100<tel:
+31205309100>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:24 p.m.
Hi Marko, it isn’t the problem. It works with lowercase as long as SSO Session Idle time
isn’t over.
I think there has to be some different method to check if you are using access_token
issued by using offline_refresh_token
When I do authorization call using offline refresh_token, I don’t see new session open in
keycloak admin console.
Any other ideas?
Regards
Mariusz
From: Marko Strukelj [mailto:mstrukel@redhat.com]
Sent: dinsdag 4 april 2017 19:11
To: Mariusz Chruscielewski - Info.nl <mariusz(a)info.nl>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] How to authenticate using offline refresh_token
Maybe try:
Authorization: Bearer {access_token}
(uppercase Bearer)
On Apr 4, 2017 18:41, "Mariusz Chruscielewski - Info.nl"
<mariusz@info.nl<mailto:mariusz@info.nl>> wrote:
Hi,
We are using scope=offline_token param to get refresh_token that is valid for long time,
then we do call :
grant_type=refresh_token&client_id=xxxx&scope=offline_access&refresh_token={refresh_token}
to get access_token, and that call returns access_token with status 200. Next step is to
call our custom REST Endpoint using authorization header:
Authorization: bearer {access_token}
But in Keycloak itself, when we try to check if token is valid:
private final AuthenticationManager.AuthResult auth;
public EntitlementResourceProvider(KeycloakSession session, String abosUrl, String
abosUsername, String abosPassword) {
this.session = session;
this.auth = new AppAuthManager().authenticateBearerToken(session,
session.realms().getRealm(Constants.XXXXXXX));
}
this.auth is null, when I was debugging this, I found that Keycloak reports: Token
invalid. How can it be invalid, if it was just issued?
What is even more interesting, this works between first login using credentials and time
configured as SSO Session Idle (so in our case for 30 minutes)
I understand that session is closed after some Idle time, but if we have valid
refresh_token, and we get new access_token, why doesn't it validate? Am I using wrong
method?
Kind Regards,
Mariusz Chruścielewski
software engineer
mariusz@info.nl<mailto:mariusz@info.nl><mailto:mariusz@info.nl<mailto:mariusz@info.nl>>
| LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski> | +31 (0)20 530
9113<tel:%2B31%20%280%2920%20530%209113><tel:+31205309113%20>
info.nl<http://info.nl> <http://www.info.nl>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530
9100<tel:%2B31%20%280%2920%20530%209100><tel:+31205309100<tel:%2B31205309100>>
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:53 p.m.
Access token itself is valid just for few minutes. When access token is
expired, you need offline token to send request for refreshing of access
token (retrieve new access token).
I suggest to look at our example in keycloak-examples distribution under
"preconfigured-demo/offline-access-app" directory.
Marek
On 04/04/17 19:24, Mariusz Chruscielewski - Info.nl wrote:
Hi Marko, it isn’t the problem. It works with lowercase as long as
SSO Session Idle time isn’t over.
I think there has to be some different method to check if you are using access_token
issued by using offline_refresh_token
When I do authorization call using offline refresh_token, I don’t see new session open in
keycloak admin console.
Any other ideas?
Regards
Mariusz
From: Marko Strukelj [mailto:mstrukel@redhat.com]
Sent: dinsdag 4 april 2017 19:11
To: Mariusz Chruscielewski - Info.nl <mariusz(a)info.nl>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] How to authenticate using offline refresh_token
Maybe try:
Authorization: Bearer {access_token}
(uppercase Bearer)
On Apr 4, 2017 18:41, "Mariusz Chruscielewski - Info.nl"
<mariusz@info.nl<mailto:mariusz@info.nl>> wrote:
Hi,
We are using scope=offline_token param to get refresh_token that is valid for long time,
then we do call :
grant_type=refresh_token&client_id=xxxx&scope=offline_access&refresh_token={refresh_token}
to get access_token, and that call returns access_token with status 200. Next step is to
call our custom REST Endpoint using authorization header:
Authorization: bearer {access_token}
But in Keycloak itself, when we try to check if token is valid:
private final AuthenticationManager.AuthResult auth;
public EntitlementResourceProvider(KeycloakSession session, String abosUrl, String
abosUsername, String abosPassword) {
this.session = session;
this.auth = new AppAuthManager().authenticateBearerToken(session,
session.realms().getRealm(Constants.XXXXXXX));
}
this.auth is null, when I was debugging this, I found that Keycloak reports: Token
invalid. How can it be invalid, if it was just issued?
What is even more interesting, this works between first login using credentials and time
configured as SSO Session Idle (so in our case for 30 minutes)
I understand that session is closed after some Idle time, but if we have valid
refresh_token, and we get new access_token, why doesn't it validate? Am I using wrong
method?
Kind Regards,
Mariusz Chruścielewski
software engineer
mariusz@info.nl<mailto:mariusz@info.nl><mailto:mariusz@info.nl<mailto:mariusz@info.nl>>
| LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski> | +31 (0)20 530
9113<tel:%2B31%20%280%2920%20530%209113><tel:+31205309113%20>
info.nl<http://info.nl> <http://www.info.nl>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530
9100<tel:%2B31%20%280%2920%20530%209100><tel:+31205309100<tel:%2B31205309100>>
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:17 a.m.
Hi Marek, I think we are not on the same page.
What I'm trying to do, it to call REST endpoint using access_token. In RestEndpoint I
have method to check if token is active (from your examples). It set's auth object in
Constructor:
public EntitlementResourceProvider(KeycloakSession session, String abosUrl, String
abosUsername, String abosPassword) {
this.session = session;
this.auth = new AppAuthManager().authenticateBearerToken(session,
session.realms().getRealm(Constants.VI_REALM)); }
and then on real REST call there is:
private void isUserAuthorized() {
if (auth == null) {
throw new NotAuthorizedException("Bearer");
} else if (auth.getToken().getRealmAccess() == null) {
throw new ForbiddenException("Does not have realm admin role");
}
}
The problem is that if I get access_token from:
http://dev.vi.nl:8180/auth/realms/vi/protocol/openid-connect/token
using offline refresh token, it works as long, as first login session is still active:
1. User logs in using credentials, we do call to /token using grant_type=credentials and
scope=offline_access
2. We get access_token and refresh_token
3. As long as this logged in session is active, we can get new access_token using
refresh_token, and that access_token is used to authenticate REST call - it all works like
it should
4. Once session is closed (SSO_Idle_time past) then I can still get new access_token
using the same refresh_token, but when I use this new access_token to call REST endpoint,
this part:
this.auth = new AppAuthManager().authenticateBearerToken(session,
session.realms().getRealm(Constants.VI_REALM));
returns NULL - so Token is not valid.
In examples you referred I didn't see anything about validating token.
I hope now it's more clear.
Regards
Mariusz
-----Original Message-----
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: dinsdag 4 april 2017 21:53
To: Mariusz Chruscielewski - Info.nl <mariusz(a)info.nl>; Marko Strukelj
<mstrukel(a)redhat.com>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] How to authenticate using offline refresh_token
Access token itself is valid just for few minutes. When access token is expired, you need
offline token to send request for refreshing of access token (retrieve new access token).
I suggest to look at our example in keycloak-examples distribution under
"preconfigured-demo/offline-access-app" directory.
Marek
On 04/04/17 19:24, Mariusz Chruscielewski - Info.nl wrote:
Hi Marko, it isn’t the problem. It works with lowercase as long as
SSO Session Idle time isn’t over.
I think there has to be some different method to check if you are
using access_token issued by using offline_refresh_token
When I do authorization call using offline refresh_token, I don’t see new session open in
keycloak admin console.
Any other ideas?
Regards
Mariusz
From: Marko Strukelj [mailto:mstrukel@redhat.com]
Sent: dinsdag 4 april 2017 19:11
To: Mariusz Chruscielewski - Info.nl <mariusz(a)info.nl>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] How to authenticate using offline
refresh_token
Maybe try:
Authorization: Bearer {access_token}
(uppercase Bearer)
On Apr 4, 2017 18:41, "Mariusz Chruscielewski - Info.nl"
<mariusz@info.nl<mailto:mariusz@info.nl>> wrote:
Hi,
We are using scope=offline_token param to get refresh_token that is valid for long time,
then we do call :
grant_type=refresh_token&client_id=xxxx&scope=offline_access&refresh_t
oken={refresh_token}
to get access_token, and that call returns access_token with status 200. Next step is to
call our custom REST Endpoint using authorization header:
Authorization: bearer {access_token}
But in Keycloak itself, when we try to check if token is valid:
private final AuthenticationManager.AuthResult auth;
public EntitlementResourceProvider(KeycloakSession session, String abosUrl, String
abosUsername, String abosPassword) {
this.session = session;
this.auth = new
AppAuthManager().authenticateBearerToken(session,
session.realms().getRealm(Constants.XXXXXXX));
}
this.auth is null, when I was debugging this, I found that Keycloak reports: Token
invalid. How can it be invalid, if it was just issued?
What is even more interesting, this works between first login using
credentials and time configured as SSO Session Idle (so in our case
for 30 minutes)
I understand that session is closed after some Idle time, but if we have valid
refresh_token, and we get new access_token, why doesn't it validate? Am I using wrong
method?
Kind Regards,
Mariusz Chruścielewski
software engineer
mariusz@info.nl<mailto:mariusz@info.nl><mailto:mariusz@info.nl<mailto:
mariusz(a)info.nl>> |
LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski> | +31
(0)20 530
9113<tel:%2B31%20%280%2920%20530%209113><tel:+31205309113%20>
info.nl<http://info.nl> <http://www.info.nl>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530
9100<tel:%2B31%20%280%2920%20530%209100><tel:+31205309100<tel:%2B31205
309100>>
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:48 a.m.
I also found this topic from January:
http://keycloak-user.88327.x6.nabble.com/keycloak-user-Offline-Tokens-Bec...
and Jira issue:
https://issues.jboss.org/browse/KEYCLOAK-4201
I did update to 2.5.5 but it's still the same, looks like this:
new AppAuthManager().authenticateBearerToken(session,
session.realms().getRealm(Constants.VI_REALM));
requires active session to work, but then what is the way to authenticate REST call using
access_token generated by offline refresh_token?
Thanks
Mariusz
-----Original Message-----
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: dinsdag 4 april 2017 21:53
To: Mariusz Chruscielewski - Info.nl <mariusz(a)info.nl>; Marko Strukelj
<mstrukel(a)redhat.com>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] How to authenticate using offline refresh_token
Access token itself is valid just for few minutes. When access token is expired, you need
offline token to send request for refreshing of access token (retrieve new access token).
I suggest to look at our example in keycloak-examples distribution under
"preconfigured-demo/offline-access-app" directory.
Marek
On 04/04/17 19:24, Mariusz Chruscielewski - Info.nl wrote:
Hi Marko, it isn’t the problem. It works with lowercase as long as
SSO Session Idle time isn’t over.
I think there has to be some different method to check if you are
using access_token issued by using offline_refresh_token
When I do authorization call using offline refresh_token, I don’t see new session open in
keycloak admin console.
Any other ideas?
Regards
Mariusz
From: Marko Strukelj [mailto:mstrukel@redhat.com]
Sent: dinsdag 4 april 2017 19:11
To: Mariusz Chruscielewski - Info.nl <mariusz(a)info.nl>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] How to authenticate using offline
refresh_token
Maybe try:
Authorization: Bearer {access_token}
(uppercase Bearer)
On Apr 4, 2017 18:41, "Mariusz Chruscielewski - Info.nl"
<mariusz@info.nl<mailto:mariusz@info.nl>> wrote:
Hi,
We are using scope=offline_token param to get refresh_token that is valid for long time,
then we do call :
grant_type=refresh_token&client_id=xxxx&scope=offline_access&refresh_t
oken={refresh_token}
to get access_token, and that call returns access_token with status 200. Next step is to
call our custom REST Endpoint using authorization header:
Authorization: bearer {access_token}
But in Keycloak itself, when we try to check if token is valid:
private final AuthenticationManager.AuthResult auth;
public EntitlementResourceProvider(KeycloakSession session, String abosUrl, String
abosUsername, String abosPassword) {
this.session = session;
this.auth = new
AppAuthManager().authenticateBearerToken(session,
session.realms().getRealm(Constants.XXXXXXX));
}
this.auth is null, when I was debugging this, I found that Keycloak reports: Token
invalid. How can it be invalid, if it was just issued?
What is even more interesting, this works between first login using
credentials and time configured as SSO Session Idle (so in our case
for 30 minutes)
I understand that session is closed after some Idle time, but if we have valid
refresh_token, and we get new access_token, why doesn't it validate? Am I using wrong
method?
Kind Regards,
Mariusz Chruścielewski
software engineer
mariusz@info.nl<mailto:mariusz@info.nl><mailto:mariusz@info.nl<mailto:
mariusz(a)info.nl>> |
LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski> | +31
(0)20 530
9113<tel:%2B31%20%280%2920%20530%209113><tel:+31205309113%20>
info.nl<http://info.nl> <http://www.info.nl>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530
9100<tel:%2B31%20%280%2920%20530%209100><tel:+31205309100<tel:%2B31205
309100>>
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:58 a.m.
Hi Marek, sorry for previous message - it actually works well in 2.5.5. I made a mistake
and I was still using 2.5.0 not 2.5.5 - after proper upgrade, it works.
Regards
Mariusz
-----Original Message-----
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: dinsdag 4 april 2017 21:53
To: Mariusz Chruscielewski - Info.nl <mariusz(a)info.nl>; Marko Strukelj
<mstrukel(a)redhat.com>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] How to authenticate using offline refresh_token
Access token itself is valid just for few minutes. When access token is expired, you need
offline token to send request for refreshing of access token (retrieve new access token).
I suggest to look at our example in keycloak-examples distribution under
"preconfigured-demo/offline-access-app" directory.
Marek
On 04/04/17 19:24, Mariusz Chruscielewski - Info.nl wrote:
Hi Marko, it isn’t the problem. It works with lowercase as long as
SSO Session Idle time isn’t over.
I think there has to be some different method to check if you are
using access_token issued by using offline_refresh_token
When I do authorization call using offline refresh_token, I don’t see new session open in
keycloak admin console.
Any other ideas?
Regards
Mariusz
From: Marko Strukelj [mailto:mstrukel@redhat.com]
Sent: dinsdag 4 april 2017 19:11
To: Mariusz Chruscielewski - Info.nl <mariusz(a)info.nl>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] How to authenticate using offline
refresh_token
Maybe try:
Authorization: Bearer {access_token}
(uppercase Bearer)
On Apr 4, 2017 18:41, "Mariusz Chruscielewski - Info.nl"
<mariusz@info.nl<mailto:mariusz@info.nl>> wrote:
Hi,
We are using scope=offline_token param to get refresh_token that is valid for long time,
then we do call :
grant_type=refresh_token&client_id=xxxx&scope=offline_access&refresh_t
oken={refresh_token}
to get access_token, and that call returns access_token with status 200. Next step is to
call our custom REST Endpoint using authorization header:
Authorization: bearer {access_token}
But in Keycloak itself, when we try to check if token is valid:
private final AuthenticationManager.AuthResult auth;
public EntitlementResourceProvider(KeycloakSession session, String abosUrl, String
abosUsername, String abosPassword) {
this.session = session;
this.auth = new
AppAuthManager().authenticateBearerToken(session,
session.realms().getRealm(Constants.XXXXXXX));
}
this.auth is null, when I was debugging this, I found that Keycloak reports: Token
invalid. How can it be invalid, if it was just issued?
What is even more interesting, this works between first login using
credentials and time configured as SSO Session Idle (so in our case
for 30 minutes)
I understand that session is closed after some Idle time, but if we have valid
refresh_token, and we get new access_token, why doesn't it validate? Am I using wrong
method?
Kind Regards,
Mariusz Chruścielewski
software engineer
mariusz@info.nl<mailto:mariusz@info.nl><mailto:mariusz@info.nl<mailto:
mariusz(a)info.nl>> |
LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski> | +31
(0)20 530
9113<tel:%2B31%20%280%2920%20530%209113><tel:+31205309113%20>
info.nl<http://info.nl> <http://www.info.nl>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530
9100<tel:%2B31%20%280%2920%20530%209100><tel:+31205309100<tel:%2B31205
309100>>
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2847
days inactive
2849
days old
6 comments
3 participants
participants (3)
-
Marek Posolda -
Mariusz Chruscielewski - Info.nl -
Marko Strukelj