[keycloak-user] Use refresh token for authentication

Marek Posolda mposolda at redhat.com
Wed Sep 16 11:06:57 EDT 2015


On 16/09/15 16:32, Marek Posolda wrote:
> On 16/09/15 12:25, Sebastian Olscher wrote:
>>
>> Hello guys,
>>
>> we ´re using the „Direct Grant Access” flow described in chapter 15 
>> in the keycloak users documentation. As we understood, the following 
>> steps are necessary:
>>
>> 1.: Do the token request with “username/password” and 
>> “grant_type=password” to the token server (keycloak).
>>
>> 2.: The token response from keycloak contains an “access_token” and a 
>> “refresh_token”.
>>
>> 3.: Normally, the client uses the “access_token” within the 
>> HTTP-Header (Authorization Bearer **access_token**) to do the 
>> authentication.
>>
>> Everything works as expected. We have found that you can also use the 
>> “refresh_token” instead of the “access_token” in step 3 to do the 
>> authentication and it will be still successful. From our point of 
>> view, this is possible, because the keycloak-wildfly-security-module 
>> does not check the token-type. But, from our understanding the 
>> “refresh_token” is not intended to do the authentication, so this 
>> should not work, right? So my two questions are:
>>
>> 1.: Why is the authentication with the “refresh_token” successful?
>>
> Looks like a bug. Could you please create JIRA ? Ideally we can fill 
> "type" field for AccessToken as "ACCESS" and then in RSATokenVerifier 
> allow just type "ACCESS" . Refresh token has type "REFRESH" so it 
> won't be allowed anymore, similarly offline token, which I am adding 
> right now.
Maybe even better type for access tokens should be "Bearer" .

Marek
>>
>> 2.: The “refresh_token” in the token response is defined as an 
>> optional element within the OAUth-2.0 specification, so is there any 
>> possibility to prevent keycloak returning it?
>>
> Right now, we always return it. But when JIRA is fixed, it's not a 
> problem as refresh token can't be used for authentication anymore, 
> just for the refresh.
>
> Marek
>>
>> Thanks,
>>
>> Sebastian
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/10dc7c31/attachment.html 


More information about the keycloak-user mailing list