[keycloak-user] token introspection
Pedro Igor Silva
psilva at redhat.com
Tue Aug 8 15:57:50 EDT 2017
Hey Lucian, we have this
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-springboot
.
On Tue, Aug 8, 2017 at 1:17 PM, Lucian Ochian <okianl at yahoo.com> wrote:
> Simon,
> Do you have a demo app with that? I am just curious to see a spring(boot)
> app with authorizations...I remember that I tried something with
> authorizations, and the authorization context was null(I know there are
> some Jira issues about it), but I still could not get it to work in 2.5.5
> AuthorizationContext authzContext =
> keycloakSecurityContext.getAuthorizationContext();
> Thanks,Lucian
>
> On Tuesday, August 8, 2017, 10:25:35 AM CDT, Simon Payne <
> simonpayne58 at gmail.com> wrote:
>
> yes correct.
>
> there is a definite change in behavior with the addition of the
> keycloak.policy-enforcer-config.online-introspection=true flag, as
> without
> this single line in my property file it works correctly as a bearer only
> resource server. Addition of this line results in the incorrect call to
> token exchange endpoint.
>
> thanks
>
>
> On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke <bburke at redhat.com> wrote:
>
> > Doesn't look like the switch is hooked up to anything. As it is, it
> > looks like this switch was added for RPT validation, not access token
> > validation, and not ever implemented. You just want the adapter to
> > validate the access token with the auth server for bearer token
> > requests, right?
> >
> >
> > On 8/8/17 9:29 AM, Bill Burke wrote:
> > > I'm looking at the code on server and I dont' see that it requires any
> > > special switch to use it. The endpoint is:
> > >
> > > @Post
> > >
> > > /auth/realms/{realm}/protocol/openid-connect/token/introspect
> > >
> > > Takes form params.
> > >
> > > token
> > >
> > > token_type_hint (optional and defaults to "access_token")
> > >
> > >
> > >
> > >
> > >
> > > On 8/8/17 4:31 AM, Simon Payne wrote:
> > >> after some debugging i figured that
> > >> keycloak.policy-enforcer-config.online-introspection=true switched on
> > this
> > >> functionality, however it appears to error on a 400 after making a
> call
> > to
> > >> the /auth/realms/master/protocol/openid-connect/token endpoint.
> > >>
> > >> I'm assuming this is a bug?
> > >>
> > >> Thanks
> > >>
> > >>
> > >>
> > >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne <simonpayne58 at gmail.com>
> > wrote:
> > >>
> > >>> Hi All,
> > >>>
> > >>> I'm evaluating keycloak and i'm currently looking at token
> > introspection.
> > >>>
> > >>> I've managed to achieve this manually, i.e. by sending a post via
> > postman,
> > >>> but i'm unable to figure out whether this can be achieved via the
> > keycloak
> > >>> adapters, specifically spring boot.
> > >>>
> > >>> any help in this area would be appreciated.
> > >>>
> > >>> thanks
> > >>>
> > >>> Simon.
> > >>>
> > >> _______________________________________________
> > >> keycloak-user mailing list
> > >> keycloak-user at lists.jboss.org
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list