[keycloak-user] token introspection

Simon Payne simonpayne58 at gmail.com
Tue Aug 8 11:10:39 EDT 2017


yes correct.

there is a definite change in behavior with the addition of the
keycloak.policy-enforcer-config.online-introspection=true  flag, as without
this single line in my property file it works correctly as a bearer only
resource server.  Addition of this line results in the incorrect call to
token exchange endpoint.

thanks


On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke <bburke at redhat.com> wrote:

> Doesn't look like the switch is hooked up to anything.  As it is, it
> looks like this switch was added for RPT validation, not access token
> validation, and not ever implemented.  You just want the adapter to
> validate the access token with the auth server for bearer token
> requests, right?
>
>
> On 8/8/17 9:29 AM, Bill Burke wrote:
> > I'm looking at the code on server and I dont' see that it requires any
> > special switch to use it.  The endpoint is:
> >
> > @Post
> >
> > /auth/realms/{realm}/protocol/openid-connect/token/introspect
> >
> > Takes form params.
> >
> > token
> >
> > token_type_hint (optional and defaults to "access_token")
> >
> >
> >
> >
> >
> > On 8/8/17 4:31 AM, Simon Payne wrote:
> >> after some debugging i figured that
> >> keycloak.policy-enforcer-config.online-introspection=true switched on
> this
> >> functionality, however it appears to error on a 400 after making a call
> to
> >> the /auth/realms/master/protocol/openid-connect/token endpoint.
> >>
> >> I'm assuming this is a bug?
> >>
> >> Thanks
> >>
> >>
> >>
> >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne <simonpayne58 at gmail.com>
> wrote:
> >>
> >>> Hi All,
> >>>
> >>> I'm evaluating keycloak and i'm currently looking at token
> introspection.
> >>>
> >>> I've managed to achieve this manually, i.e. by sending a post via
> postman,
> >>> but i'm unable to figure out whether this can be achieved via the
> keycloak
> >>> adapters, specifically spring boot.
> >>>
> >>> any help in this area would be appreciated.
> >>>
> >>> thanks
> >>>
> >>> Simon.
> >>>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list