[keycloak-user] token introspection

Simon Payne simonpayne58 at gmail.com
Wed Aug 9 04:50:31 EDT 2017


thanks Pedro,

however, i think our use cases are not exactly the same.  it appears your
component is set to allow authentication of user where mine is bearer only.

the only other differences i can see between our projects is that i am
running gradle with keycloak 3.2.0 and that i have also added compile(
'org.keycloak:keycloak-authz-client:3.2.0.CR1')

Lucian, i don't have a project which i can share at the moment as other
code is included, if you would still like to see something i can make a
shareable version.

Thanks


On Tue, Aug 8, 2017 at 8:57 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Hey Lucian, we have this https://github.com/keycloak/
> keycloak-quickstarts/tree/latest/app-authz-springboot.
>
> On Tue, Aug 8, 2017 at 1:17 PM, Lucian Ochian <okianl at yahoo.com> wrote:
>
>> Simon,
>> Do you have a demo app with that? I am just curious to see a spring(boot)
>> app with authorizations...I remember that I tried something with
>> authorizations, and the authorization context was null(I know there are
>> some Jira issues about it), but I still could not get it to work in 2.5.5
>> AuthorizationContext authzContext =
>>         keycloakSecurityContext.getAuthorizationContext();
>> Thanks,Lucian
>>
>> On Tuesday, August 8, 2017, 10:25:35 AM CDT, Simon Payne <
>> simonpayne58 at gmail.com> wrote:
>>
>> yes correct.
>>
>> there is a definite change in behavior with the addition of the
>> keycloak.policy-enforcer-config.online-introspection=true  flag, as
>> without
>> this single line in my property file it works correctly as a bearer only
>> resource server.  Addition of this line results in the incorrect call to
>> token exchange endpoint.
>>
>> thanks
>>
>>
>> On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke <bburke at redhat.com> wrote:
>>
>> > Doesn't look like the switch is hooked up to anything.  As it is, it
>> > looks like this switch was added for RPT validation, not access token
>> > validation, and not ever implemented.  You just want the adapter to
>> > validate the access token with the auth server for bearer token
>> > requests, right?
>> >
>> >
>> > On 8/8/17 9:29 AM, Bill Burke wrote:
>> > > I'm looking at the code on server and I dont' see that it requires any
>> > > special switch to use it.  The endpoint is:
>> > >
>> > > @Post
>> > >
>> > > /auth/realms/{realm}/protocol/openid-connect/token/introspect
>> > >
>> > > Takes form params.
>> > >
>> > > token
>> > >
>> > > token_type_hint (optional and defaults to "access_token")
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > On 8/8/17 4:31 AM, Simon Payne wrote:
>> > >> after some debugging i figured that
>> > >> keycloak.policy-enforcer-config.online-introspection=true switched
>> on
>> > this
>> > >> functionality, however it appears to error on a 400 after making a
>> call
>> > to
>> > >> the /auth/realms/master/protocol/openid-connect/token endpoint.
>> > >>
>> > >> I'm assuming this is a bug?
>> > >>
>> > >> Thanks
>> > >>
>> > >>
>> > >>
>> > >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne <simonpayne58 at gmail.com>
>> > wrote:
>> > >>
>> > >>> Hi All,
>> > >>>
>> > >>> I'm evaluating keycloak and i'm currently looking at token
>> > introspection.
>> > >>>
>> > >>> I've managed to achieve this manually, i.e. by sending a post via
>> > postman,
>> > >>> but i'm unable to figure out whether this can be achieved via the
>> > keycloak
>> > >>> adapters, specifically spring boot.
>> > >>>
>> > >>> any help in this area would be appreciated.
>> > >>>
>> > >>> thanks
>> > >>>
>> > >>> Simon.
>> > >>>
>> > >> _______________________________________________
>> > >> keycloak-user mailing list
>> > >> keycloak-user at lists.jboss.org
>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > > keycloak-user at lists.jboss.org
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


More information about the keycloak-user mailing list