[keycloak-user] keycloak 1.3.1 OpenID Connect token introspection url

Niels Bertram nielsbne at gmail.com
Thu Jul 2 23:19:27 EDT 2015


Thanks Stian, got it to work.

Strangely enough this validation endpoint is not returned in the keycloak
response on /auth/realms/[realm]/.well-known/openid-configuration . Also I
tried to find any standard reference in the OpenID Connect 1.0
specification and there is no mentioning of this mechanism. So I assume its
not a standard OpenID method right?

Kind Regards,
Niels

On Thu, Jul 2, 2015 at 5:40 PM, Stian Thorgersen <stian at redhat.com> wrote:

> Keycloak has an endpoint to verify token. URL is:
>
>   /auth/realms/<realm>/protocol/openid-connect/validate
>
> It takes a single query_param 'access_token'. If token is valid the
> response will be the token as json document, otherwise it'll return an
> error.
>
> ----- Original Message -----
> > From: "Niels Bertram" <nielsbne at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Monday, 29 June, 2015 5:30:51 PM
> > Subject: [keycloak-user] keycloak 1.3.1 OpenID Connect token
> introspection    url
> >
> > Hi there,
> >
> > I am trying to configure a server side (RP) client which requires a JWT
> > introspection URL on the OP. I tried to find such endpoint on the
> KeyCloak
> > server without avail neither did I actually find any url of type
> > "introspect" in the OpenID Connect Specification.
> >
> > Does anyone know if/how a OAuth2 client can validate a JWT token via a
> back
> > channel with the KeyCloak server?
> >
> > The client I am trying to configure is the MITREid client as per
> >
> https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Token-Introspecting-Client-Config
> >
> > Looking at the code, the client will issue a post to the introspection
> > endpoint with some form data:
> >
> > POST /auth/realms/myrealm/protocol/openid-connect/introspect HTTP/1.1
> > Host: localhost:8080
> > Cache-Control: no-cache
> > Content-Type: application/x-www-form-urlencoded
> >
> > client_id=myapp&client_secret=mysupersecret&token=eyJhbGciO[trunkated but
> > valid access token]
> >
> > Any pointers are much appreciated.
> >
> > Kind Regards,
> > Niels
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150703/e27fca09/attachment.html 


More information about the keycloak-user mailing list