[keycloak-user] OAuth2 token introspection requires an active session?
Iván Perdomo
ivan at akvo.org
Fri Apr 28 03:51:53 EDT 2017
Hi all,
We're trying to use offline access [1] to retrieve access_tokens on
behalf of the user and access a protected resource in a long running
process.
This protected resource checks the validity of the access_token using
the OAuth2 token introspection.
In our tests we found that the introspection flag "active" true|false
depends on having an active session in the server. Which seems to defeat
the purpose of the offline access capabilities.
I have tested with versions 2.5.5.Final and 3.0.0.Final and the behavior
is the same.
* Get an offline token via direct grants
* Get an access_token using the offline_token
* We have an active session
* Use the token introspection for the access_token and get the expected
result: active=true
* Wait for SSO Idle timeout (so the session expires)
* Get a new access_token using the "stored" offline_token
* Use the token introspection with the new access_token. Keycloak
returns active=false because we don't have a session. But the
access_token is valid, and not expired.
The following code repository has an isolated test case of this scenario:
https://github.com/iperdomo/keycloak-oauth2-instrospection
The described steps are in this script:
https://github.com/iperdomo/keycloak-oauth2-instrospection/blob/master/test.sh
I tried to look for logged issues regarding token introspection and
didn't found anything related to this problem.
Is this a bug or an expected behavior?
[1]
https://keycloak.gitbooks.io/documentation/server_admin/topics/sessions/offline.html
Thanks for your support.
--
Iván
More information about the keycloak-user
mailing list