[keycloak-user] token introspection

Bill Burke bburke at redhat.com
Tue Aug 8 13:48:49 EDT 2017


It works because our bearer tokens are JWS signed JWTs whose signature 
and issuer are validated by the adapter itself using the realm's public key.


On 8/8/17 11:10 AM, Simon Payne wrote:
> yes correct.
>
> there is a definite change in behavior with the addition of the
> keycloak.policy-enforcer-config.online-introspection=true  flag, as without
> this single line in my property file it works correctly as a bearer only
> resource server.  Addition of this line results in the incorrect call to
> token exchange endpoint.
>
> thanks
>
>
> On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke <bburke at redhat.com> wrote:
>
>> Doesn't look like the switch is hooked up to anything.  As it is, it
>> looks like this switch was added for RPT validation, not access token
>> validation, and not ever implemented.  You just want the adapter to
>> validate the access token with the auth server for bearer token
>> requests, right?
>>
>>
>> On 8/8/17 9:29 AM, Bill Burke wrote:
>>> I'm looking at the code on server and I dont' see that it requires any
>>> special switch to use it.  The endpoint is:
>>>
>>> @Post
>>>
>>> /auth/realms/{realm}/protocol/openid-connect/token/introspect
>>>
>>> Takes form params.
>>>
>>> token
>>>
>>> token_type_hint (optional and defaults to "access_token")
>>>
>>>
>>>
>>>
>>>
>>> On 8/8/17 4:31 AM, Simon Payne wrote:
>>>> after some debugging i figured that
>>>> keycloak.policy-enforcer-config.online-introspection=true switched on
>> this
>>>> functionality, however it appears to error on a 400 after making a call
>> to
>>>> the /auth/realms/master/protocol/openid-connect/token endpoint.
>>>>
>>>> I'm assuming this is a bug?
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne <simonpayne58 at gmail.com>
>> wrote:
>>>>> Hi All,
>>>>>
>>>>> I'm evaluating keycloak and i'm currently looking at token
>> introspection.
>>>>> I've managed to achieve this manually, i.e. by sending a post via
>> postman,
>>>>> but i'm unable to figure out whether this can be achieved via the
>> keycloak
>>>>> adapters, specifically spring boot.
>>>>>
>>>>> any help in this area would be appreciated.
>>>>>
>>>>> thanks
>>>>>
>>>>> Simon.
>>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list