[keycloak-user] [EXTERNAL] Re: Token validation in keycloak in oauth with direct access.

Stian Thorgersen stian at redhat.com
Mon Mar 2 22:42:39 EST 2015 


----- Original Message -----
> From: "Kevin Chen" <Peng.Chen at halliburton.com>
> To: "Marek Posolda" <mposolda at redhat.com>, "Emil Posmyk" <emil.posmyk at gmail.com>, keycloak-user at lists.jboss.org
> Sent: Monday, 2 March, 2015 11:09:46 PM
> Subject: Re: [keycloak-user] [EXTERNAL] Re: Token validation in keycloak in oauth with direct access.
> 
> 
> 
> I had another question about the refresh token, when I forward it, it did not
> contain all the claims the access token has.

The refresh token should only be used to refresh the access token and so there's no need to have those claims there

> 
> 
> 
> For example, my application is configured to provide all the claims and it
> will user perfered_username. If I use refresh token, the username is not
> preferred username, it is the GUID. But when I forward the same access
> token, then it is ok. When I decode the refresh toke, all the claims fields
> are null.
> 
> 
> 
> Thanks
> 
> Kevin
> 
> 
> 
> 
> From: keycloak-user-bounces at lists.jboss.org
> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda
> Sent: Monday, March 02, 2015 1:39 PM
> To: Emil Posmyk; keycloak-user at lists.jboss.org
> Subject: [EXTERNAL] Re: [keycloak-user] Token validation in keycloak in oauth
> with direct access.
> 
> 
> 
> 
> 
> Hi,
> 
> when you send directAccess grant request it returns you accessToken and
> refreshToken. Access token is valid for short period of time (like 5 minutes
> as you mentioned) and you can then refresh it with refreshToken for new
> tokens.
> 
> When you're sending request from "client webservice" to "other webservice",
> you can attach token into the request in HTTP header like "Authorization:
> Bearer you-access-token-is-here" . Then "other webservice" can be protected
> directly by our adapter and specified as "bearer only" client, or you can
> use RSATokenVerifier if you want to validate token manually in your
> application (in case you use adapters, it will do it for you).
> 
> See our demo example application for more details.
> 
> Marek
> 
> On 27.2.2015 21:47, Emil Posmyk wrote:
> 
> 
> 
> 
> 
> Hello all
> 
> 
> I'm trying to validate downloaded earlier token (downloaded via oauth
> application with direct access) and I found RSATokenVerifier. It's working
> but this is only json validation and it is not checking same token from user
> session which exist in memmory.
> 
> 
> It is possible to use same token and check it with existing in user session
> (without clustering) ? I want to use the same token several times (for
> example same token for 5 minutes). Token is sent from client webservice to
> other webservice and last ws have to check token wchich is sent from first
> webservice (must make sure that token is correct - the same).
> 
> 
> I have doubt becouse I saw that always when I try to authenticate with direct
> access token is new but not over 5 minutes.
> 
> 
> 
> 
> 
> regards
> 
> 
> --
> 
> 
> Emil Posmyk
> 
> 
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> 
> 
> This e-mail, including any attached files, may contain confidential and
> privileged information for the sole use of the intended recipient. Any
> review, use, distribution, or disclosure by others is strictly prohibited.
> If you are not the intended recipient (or authorized to receive information
> for the intended recipient), please contact the sender by reply e-mail and
> delete all copies of this message.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list