[keycloak-user] Token introspection

Fri Dec 2 01:07:47 EST 2016

Yes, but the client to do token introspection needs to be a confidential
client

On 22 November 2016 at 14:11, venito camelas <robotirlandes at gmail.com>
wrote:

> Is it possible to have an app making token introspection requests for
> tokens not issued for it? I'll try to explain:
>
> Keycloak issues tokens to be used in a specific Resource server, the RS
> then validates the token (self contained info or token introspection
> endpoint). The situation is something like this:
>
>           1                     3
>     ---------------  KK---------------
>    |                                     |
>    |                   2                |
> Client ----------------------------- RS
>
> 1 - Client gets token to use with RS
> 2 - Client uses token to make a request to RS
> 3 - RS makes a token introspection request
>
>
> Now, I want to add a router in the middle, I'd like the router to make the
> token introspection request (with the token issued for the RS) and then
> allow to go to the RS if everything is ok:
>
>
>           1
>     ---------------  KK---------------
>    |                   |                 |
>    |                 3|                 |
>    |          2       |         4      |
> Client ---------Router---------- RS
>
> 1 - Client gets token to use with RS
> 2 - Client uses token to make a request to RS
> 3 - Router intercepts the request and validates token (expiration and stuff
> like that)
> 4 - If validation is ok, the router allows the request to go to the RS, the
> RS then validates scopes and specific stuff.
>
>
> Thank you
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>