Hi All, I'm evaluating keycloak and i'm currently looking at token introspection. I've managed to achieve this manually, i.e. by sending a post via postman, but i'm unable to figure out whether this can be achieved via the keycloak adapters, specifically spring boot. any help in this area would be appreciated. thanks Simon.

I'm looking at the code on server and I dont' see that it requires any special switch to use it. The endpoint is: @Post /auth/realms/{realm}/protocol/openid-connect/token/introspect Takes form params. token token_type_hint (optional and defaults to "access_token") On 8/8/17 4:31 AM, Simon Payne wrote: > after some debugging i figured that > keycloak.policy-enforcer-config.online-introspection=true switched on this > functionality, however it appears to error on a 400 after making a call to > the /auth/realms/master/protocol/openid-connect/token endpoint. > > I'm assuming this is a bug? > > Thanks > > > > On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne <simonpayne58(a)gmail.com&gt; wrote: > >> Hi All, >> >> I'm evaluating keycloak and i'm currently looking at token introspection. >> >> I've managed to achieve this manually, i.e. by sending a post via postman, >> but i'm unable to figure out whether this can be achieved via the keycloak >> adapters, specifically spring boot. >> >> any help in this area would be appreciated. >> >> thanks >> >> Simon. >> > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Doesn't look like the switch is hooked up to anything.  As it is, it looks like this switch was added for RPT validation, not access token validation, and not ever implemented.  You just want the adapter to validate the access token with the auth server for bearer token requests, right? On 8/8/17 9:29 AM, Bill Burke wrote: > I'm looking at the code on server and I dont' see that it requires any > special switch to use it.  The endpoint is: > > @Post > > /auth/realms/{realm}/protocol/openid-connect/token/introspect > > Takes form params. > > token > > token_type_hint (optional and defaults to "access_token") > > > > > > On 8/8/17 4:31 AM, Simon Payne wrote: >> after some debugging i figured that >> keycloak.policy-enforcer-config.online-introspection=true switched on this >> functionality, however it appears to error on a 400 after making a call to >> the /auth/realms/master/protocol/openid-connect/token endpoint. >> >> I'm assuming this is a bug? >> >> Thanks >> >> >> >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne <simonpayne58(a)gmail.com&gt; wrote: >> >>> Hi All, >>> >>> I'm evaluating keycloak and i'm currently looking at token introspection. >>> >>> I've managed to achieve this manually, i.e. by sending a post via postman, >>> but i'm unable to figure out whether this can be achieved via the keycloak >>> adapters, specifically spring boot. >>> >>> any help in this area would be appreciated. >>> >>> thanks >>> >>> Simon. >>> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Hey Lucian, we have this https://github.com/keycloak/ keycloak-quickstarts/tree/latest/app-authz-springboot. On Tue, Aug 8, 2017 at 1:17 PM, Lucian Ochian <okianl(a)yahoo.com&gt; wrote: > Simon, > Do you have a demo app with that? I am just curious to see a spring(boot) > app with authorizations...I remember that I tried something with > authorizations, and the authorization context was null(I know there are > some Jira issues about it), but I still could not get it to work in 2.5.5 > AuthorizationContext authzContext = > keycloakSecurityContext.getAuthorizationContext(); > Thanks,Lucian > > On Tuesday, August 8, 2017, 10:25:35 AM CDT, Simon Payne < > simonpayne58(a)gmail.com&gt; wrote: > > yes correct. > > there is a definite change in behavior with the addition of the > keycloak.policy-enforcer-config.online-introspection=true flag, as > without > this single line in my property file it works correctly as a bearer only > resource server. Addition of this line results in the incorrect call to > token exchange endpoint. > > thanks > > > On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke <bburke(a)redhat.com&gt; wrote: > > > Doesn't look like the switch is hooked up to anything. As it is, it > > looks like this switch was added for RPT validation, not access token > > validation, and not ever implemented. You just want the adapter to > > validate the access token with the auth server for bearer token > > requests, right? > > > > > > On 8/8/17 9:29 AM, Bill Burke wrote: > > > I'm looking at the code on server and I dont' see that it requires any > > > special switch to use it. The endpoint is: > > > > > > @Post > > > > > > /auth/realms/{realm}/protocol/openid-connect/token/introspect > > > > > > Takes form params. > > > > > > token > > > > > > token_type_hint (optional and defaults to "access_token") > > > > > > > > > > > > > > > > > > On 8/8/17 4:31 AM, Simon Payne wrote: > > >> after some debugging i figured that > > >> keycloak.policy-enforcer-config.online-introspection=true switched > on > > this > > >> functionality, however it appears to error on a 400 after making a > call > > to > > >> the /auth/realms/master/protocol/openid-connect/token endpoint. > > >> > > >> I'm assuming this is a bug? > > >> > > >> Thanks > > >> > > >> > > >> > > >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne <simonpayne58(a)gmail.com&gt; > > wrote: > > >> > > >>> Hi All, > > >>> > > >>> I'm evaluating keycloak and i'm currently looking at token > > introspection. > > >>> > > >>> I've managed to achieve this manually, i.e. by sending a post via > > postman, > > >>> but i'm unable to figure out whether this can be achieved via the > > keycloak > > >>> adapters, specifically spring boot. > > >>> > > >>> any help in this area would be appreciated. > > >>> > > >>> thanks > > >>> > > >>> Simon. > > >>> > > >> _______________________________________________ > > >> keycloak-user mailing list > > >> keycloak-user(a)lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user(a)lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >

do we have token introspection implemented in any of the client adapters (other than spring boot)? thanks On Wed, Aug 9, 2017 at 9:50 AM, Simon Payne <simonpayne58(a)gmail.com&gt; wrote: > thanks Pedro, > > however, i think our use cases are not exactly the same. it appears your > component is set to allow authentication of user where mine is bearer only. > > the only other differences i can see between our projects is that i am > running gradle with keycloak 3.2.0 and that i have also added compile( > 'org.keycloak:keycloak-authz-client:3.2.0.CR1') > > Lucian, i don't have a project which i can share at the moment as other > code is included, if you would still like to see something i can make a > shareable version. > > Thanks > > > On Tue, Aug 8, 2017 at 8:57 PM, Pedro Igor Silva <psilva(a)redhat.com&gt; > wrote: > >> Hey Lucian, we have this https://github.com/keycloak/ke >> ycloak-quickstarts/tree/latest/app-authz-springboot. >> >> On Tue, Aug 8, 2017 at 1:17 PM, Lucian Ochian <okianl(a)yahoo.com&gt; wrote: >> >>> Simon, >>> Do you have a demo app with that? I am just curious to see a >>> spring(boot) app with authorizations...I remember that I tried something >>> with authorizations, and the authorization context was null(I know there >>> are some Jira issues about it), but I still could not get it to work in >>> 2.5.5 >>> AuthorizationContext authzContext = >>> keycloakSecurityContext.getAuthorizationContext(); >>> Thanks,Lucian >>> >>> On Tuesday, August 8, 2017, 10:25:35 AM CDT, Simon Payne < >>> simonpayne58(a)gmail.com&gt; wrote: >>> >>> yes correct. >>> >>> there is a definite change in behavior with the addition of the >>> keycloak.policy-enforcer-config.online-introspection=true flag, as >>> without >>> this single line in my property file it works correctly as a bearer only >>> resource server. Addition of this line results in the incorrect call to >>> token exchange endpoint. >>> >>> thanks >>> >>> >>> On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke <bburke(a)redhat.com&gt; wrote: >>> >>> > Doesn't look like the switch is hooked up to anything. As it is, it >>> > looks like this switch was added for RPT validation, not access token >>> > validation, and not ever implemented. You just want the adapter to >>> > validate the access token with the auth server for bearer token >>> > requests, right? >>> > >>> > >>> > On 8/8/17 9:29 AM, Bill Burke wrote: >>> > > I'm looking at the code on server and I dont' see that it requires >>> any >>> > > special switch to use it. The endpoint is: >>> > > >>> > > @Post >>> > > >>> > > /auth/realms/{realm}/protocol/openid-connect/token/introspect >>> > > >>> > > Takes form params. >>> > > >>> > > token >>> > > >>> > > token_type_hint (optional and defaults to "access_token") >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > On 8/8/17 4:31 AM, Simon Payne wrote: >>> > >> after some debugging i figured that >>> > >> keycloak.policy-enforcer-config.online-introspection=true switched >>> on >>> > this >>> > >> functionality, however it appears to error on a 400 after making a >>> call >>> > to >>> > >> the /auth/realms/master/protocol/openid-connect/token endpoint. >>> > >> >>> > >> I'm assuming this is a bug? >>> > >> >>> > >> Thanks >>> > >> >>> > >> >>> > >> >>> > >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne < simonpayne58(a)gmail.com >>> > >>> > wrote: >>> > >> >>> > >>> Hi All, >>> > >>> >>> > >>> I'm evaluating keycloak and i'm currently looking at token >>> > introspection. >>> > >>> >>> > >>> I've managed to achieve this manually, i.e. by sending a post via >>> > postman, >>> > >>> but i'm unable to figure out whether this can be achieved via the >>> > keycloak >>> > >>> adapters, specifically spring boot. >>> > >>> >>> > >>> any help in this area would be appreciated. >>> > >>> >>> > >>> thanks >>> > >>> >>> > >>> Simon. >>> > >>> >>> > >> _______________________________________________ >>> > >> keycloak-user mailing list >>> > >> keycloak-user(a)lists.jboss.org >>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > > _______________________________________________ >>> > > keycloak-user mailing list >>> > > keycloak-user(a)lists.jboss.org >>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user(a)lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

yes correct. there is a definite change in behavior with the addition of the keycloak.policy-enforcer-config.online-introspection=true flag, as without this single line in my property file it works correctly as a bearer only resource server. Addition of this line results in the incorrect call to token exchange endpoint. thanks On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke <bburke(a)redhat.com&gt; wrote: > Doesn't look like the switch is hooked up to anything. As it is, it > looks like this switch was added for RPT validation, not access token > validation, and not ever implemented. You just want the adapter to > validate the access token with the auth server for bearer token > requests, right? > > > On 8/8/17 9:29 AM, Bill Burke wrote: > > I'm looking at the code on server and I dont' see that it requires any > > special switch to use it. The endpoint is: > > > > @Post > > > > /auth/realms/{realm}/protocol/openid-connect/token/introspect > > > > Takes form params. > > > > token > > > > token_type_hint (optional and defaults to "access_token") > > > > > > > > > > > > On 8/8/17 4:31 AM, Simon Payne wrote: > >> after some debugging i figured that > >> keycloak.policy-enforcer-config.online-introspection=true switched on > this > >> functionality, however it appears to error on a 400 after making a call > to > >> the /auth/realms/master/protocol/openid-connect/token endpoint. > >> > >> I'm assuming this is a bug? > >> > >> Thanks > >> > >> > >> > >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne <simonpayne58(a)gmail.com&gt; > wrote: > >> > >>> Hi All, > >>> > >>> I'm evaluating keycloak and i'm currently looking at token > introspection. > >>> > >>> I've managed to achieve this manually, i.e. by sending a post via > postman, > >>> but i'm unable to figure out whether this can be achieved via the > keycloak > >>> adapters, specifically spring boot. > >>> > >>> any help in this area would be appreciated. > >>> > >>> thanks > >>> > >>> Simon. > >>> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user(a)lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user