[keycloak-user] Token Validation Endpoint

Stian Thorgersen sthorger at redhat.com
Thu Apr 21 03:51:48 EDT 2016


BTW access tokens have a short lifespan by default only 1 minute so should
be more than sufficient to just check the signature of the token.

On 20 April 2016 at 18:50, Brian Watson <watson409 at gmail.com> wrote:

> Confirmed! Thank you all so much for the help!
>
> On Wed, Apr 20, 2016 at 12:38 PM, Thomas Darimont <
> thomas.darimont at googlemail.com> wrote:
>
>> Hello,
>>
>> after having looked at the tests:
>> https://github.com/keycloak/keycloak/blob/d9f82affb0ca36b066b2b1396e953ae126c349e0/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java#L228
>>
>> ... I think you need to use basic authentication with client credentials
>> for the token introspection endpoint.
>>
>> here is a small example (bash with jq (json query required)
>>
>> KC_REALM=your-realm
>> KC_USERNAME=a-realm-user
>> KC_PASSWORD=a-realm-user-password
>> KC_CLIENT=a-test-client
>> KC_CLIENT_SECRET=a-test-client-credental
>> KC_SERVER=192.168.99.100:8080
>> KC_CONTEXT=auth
>>
>> # Request Tokens for credentials
>> KC_RESPONSE=$( \
>>    curl -k -v -X POST \
>>         -H "Content-Type: application/x-www-form-urlencoded" \
>>         -d "username=$KC_USERNAME" \
>>         -d "password=$KC_PASSWORD" \
>>         -d 'grant_type=password' \
>>         -d "client_id=$KC_CLIENT" \
>>         -d "client_secret=$KC_CLIENT_SECRET" \
>>         "http://$KC_SERVER/$KC_CONTEXT/realms/$REALM/protocol/openid-connect/token"
>> \
>>     | jq .
>> )
>>
>> KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
>> KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)
>> KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token)
>>
>> # Show all keycloak env variables
>> set | grep KC_*
>>
>> # Introspect Keycloak Request Token
>> curl -k -v \
>>      -X POST \
>>      -u "$KC_CLIENT:$KC_CLIENT_SECRET" \
>>      -d "token=$KC_ACCESS_TOKEN" \
>>    "http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token/introspect"
>> | jq .
>>
>> gives me:
>>
>> {
>>   "jti": "xxxx",
>>   "exp": 1461170489,
>>   "nbf": 0,
>>   "iat": 1461170189,
>>   "iss": "http://xxxxx/auth/realms/eurodata-test",
>>   "aud": "test-client",
>>   "sub": "xxxxx",
>>   "typ": "Bearer",
>>   "azp": "test-client",
>>   "session_state": "xxxx",
>>   "name": "Theo Tester",
>>   "given_name": "Theo",
>>   "family_name": "Tester",
>>   "preferred_username": "xxx",
>>   "email": "tester at localhost",
>>   "client_session": "xxxx",
>>   "allowed-origins": [],
>>   "resource_access": {
>>     "account": {
>>       "roles": [
>>         "manage-account",
>>         "view-profile"
>>       ]
>>     }
>>   },
>>   "client_id": "test-client",
>>   "username": "xxx",
>>   "active": true
>> }
>>
>> HTH
>>
>> Cheers,
>> Thomas
>>
>> 2016-04-20 17:39 GMT+02:00 Brian Watson <watson409 at gmail.com>:
>>
>>> Thank you all for the quick responses. However, I am having an issue
>>> with that endpoint, and am assuming I am doing something wrong :)
>>>
>>> I am making the request with a Bearer authorization header containing
>>> the token of a client that has the admin role in it's service account. I am
>>> testing that the client token is valid via the following curl call:
>>>
>>> curl -s -X GET -H "Authorization: Bearer $_CLIENT_TOKEN" '
>>> http://localhost-docker:8080/auth/admin/realms/master/users'
>>>
>>> However, when I make the following curl request for token introspection:
>>>
>>> curl -v -X POST -H "Authorization: Bearer $_CLIENT_TOKEN" --data
>>> "token=$_INTROSPECT_TOKEN" \
>>>    '
>>> http://localhost-docker:8080/auth/realms/master/protocol/openid-connect/token/introspect
>>> '
>>>
>>> ... I get the following response:
>>>
>>> > HTTP/1.1 401 Unauthorized
>>> > Connection: keep-alive
>>> > X-Powered-By: Undertow/1
>>> > Server: WildFly/10
>>> > Content-Type: application/json
>>> > Content-Length: 72
>>> > Date: Wed, 20 Apr 2016 15:33:57 GMT
>>> >
>>> > {"error_description":"Authentication
>>> failed.","error":"invalid_request"}
>>>
>>> ... and the following console error output:
>>>
>>> > 2016-04-20 15:21:45,787 ERROR [org.keycloak.services]
>>> (default task-13) KC-SERVICES0014: Failed client authentication:
>>> org.keycloak.authentication.AuthenticationFlowException: Client was not
>>> identified by any client authenticator
>>> >    at
>>> org.keycloak.authentication.ClientAuthenticationFlow.processFlow(ClientAuthenticationFlow.java:101)
>>> >    at
>>> org.keycloak.authentication.AuthenticationProcessor.authenticateClient(AuthenticationProcessor.java:673)
>>> >    at
>>> org.keycloak.protocol.oidc.utils.AuthorizeClientUtil.authorizeClient(AuthorizeClientUtil.java:42)
>>> >        ...
>>> > 2016-04-20 15:21:45,791 WARN  [org.keycloak.events] (default task-13)
>>> type=INTROSPECT_TOKEN_ERROR, realmId=master, clientId=null, userId=null,
>>> ipAddress=192.168.99.1, error=invalid_client_credentials
>>> > 2016-04-20 15:21:45,792 WARN  [org.keycloak.events] (default task-13)
>>> type=INTROSPECT_TOKEN_ERROR, realmId=master, clientId=null, userId=null,
>>> ipAddress=192.168.99.1, error=invalid_request, detail='Authentication
>>> failed.'
>>>
>>> Is there another method I should be using to authenticate the client for
>>> this request? Is there something else that you see that I am doing wrong?
>>>
>>>
>>> On Wed, Apr 20, 2016 at 10:13 AM, Thomas Darimont <
>>> thomas.darimont at googlemail.com> wrote:
>>>
>>>> :)
>>>>
>>>> 2016-04-20 16:07 GMT+02:00 Juraci Paixão Kröhling <juraci at kroehling.de>
>>>> :
>>>>
>>>>> On 20.04.2016 15:53, Brian Watson wrote:
>>>>> > Is there an endpoint I can call with a token that will tell me if the
>>>>> > token is still valid? Is there another way I should be performing
>>>>> this
>>>>> > check?
>>>>>
>>>>> Make a POST sending "token" as request parameter to
>>>>> /realms/{realm}/protocols/openid-connect/token/introspect
>>>>>
>>>>> - Juca.
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160421/bc8c1be9/attachment.html 


More information about the keycloak-user mailing list