[keycloak-user] keycloak 1.3.1 OpenID Connect token introspection url

Stian Thorgersen stian at redhat.com
Fri Jul 3 02:46:23 EDT 2015



----- Original Message -----
> From: "Niels Bertram" <nielsbne at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 3 July, 2015 5:19:27 AM
> Subject: Re: [keycloak-user] keycloak 1.3.1 OpenID Connect token introspection url
> 
> Thanks Stian, got it to work.
> 
> Strangely enough this validation endpoint is not returned in the keycloak
> response on /auth/realms/[realm]/.well-known/openid-configuration . Also I
> tried to find any standard reference in the OpenID Connect 1.0
> specification and there is no mentioning of this mechanism. So I assume its
> not a standard OpenID method right?

As far as I know you're right there's no standard endpoint for verifying the token. Not sure it makes sense for us to add non-standard endpoints to the openid-configuration endpoint.

It's long overdue, but we do plan to provide some better docs with regards to OpenID Connect, including the "extensions" we've added.

> 
> Kind Regards,
> Niels
> 
> On Thu, Jul 2, 2015 at 5:40 PM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > Keycloak has an endpoint to verify token. URL is:
> >
> >   /auth/realms/<realm>/protocol/openid-connect/validate
> >
> > It takes a single query_param 'access_token'. If token is valid the
> > response will be the token as json document, otherwise it'll return an
> > error.
> >
> > ----- Original Message -----
> > > From: "Niels Bertram" <nielsbne at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Monday, 29 June, 2015 5:30:51 PM
> > > Subject: [keycloak-user] keycloak 1.3.1 OpenID Connect token
> > introspection    url
> > >
> > > Hi there,
> > >
> > > I am trying to configure a server side (RP) client which requires a JWT
> > > introspection URL on the OP. I tried to find such endpoint on the
> > KeyCloak
> > > server without avail neither did I actually find any url of type
> > > "introspect" in the OpenID Connect Specification.
> > >
> > > Does anyone know if/how a OAuth2 client can validate a JWT token via a
> > back
> > > channel with the KeyCloak server?
> > >
> > > The client I am trying to configure is the MITREid client as per
> > >
> > https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Token-Introspecting-Client-Config
> > >
> > > Looking at the code, the client will issue a post to the introspection
> > > endpoint with some form data:
> > >
> > > POST /auth/realms/myrealm/protocol/openid-connect/introspect HTTP/1.1
> > > Host: localhost:8080
> > > Cache-Control: no-cache
> > > Content-Type: application/x-www-form-urlencoded
> > >
> > > client_id=myapp&client_secret=mysupersecret&token=eyJhbGciO[trunkated but
> > > valid access token]
> > >
> > > Any pointers are much appreciated.
> > >
> > > Kind Regards,
> > > Niels
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 


More information about the keycloak-user mailing list