[keycloak-user] token introspection
Simon Payne
simonpayne58 at gmail.com
Thu Aug 10 05:11:53 EDT 2017
do we have token introspection implemented in any of the client adapters
(other than spring boot)?
thanks
On Wed, Aug 9, 2017 at 9:50 AM, Simon Payne <simonpayne58 at gmail.com> wrote:
> thanks Pedro,
>
> however, i think our use cases are not exactly the same. it appears your
> component is set to allow authentication of user where mine is bearer only.
>
> the only other differences i can see between our projects is that i am
> running gradle with keycloak 3.2.0 and that i have also added compile(
> 'org.keycloak:keycloak-authz-client:3.2.0.CR1')
>
> Lucian, i don't have a project which i can share at the moment as other
> code is included, if you would still like to see something i can make a
> shareable version.
>
> Thanks
>
>
> On Tue, Aug 8, 2017 at 8:57 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hey Lucian, we have this https://github.com/keycloak/ke
>> ycloak-quickstarts/tree/latest/app-authz-springboot.
>>
>> On Tue, Aug 8, 2017 at 1:17 PM, Lucian Ochian <okianl at yahoo.com> wrote:
>>
>>> Simon,
>>> Do you have a demo app with that? I am just curious to see a
>>> spring(boot) app with authorizations...I remember that I tried something
>>> with authorizations, and the authorization context was null(I know there
>>> are some Jira issues about it), but I still could not get it to work in
>>> 2.5.5
>>> AuthorizationContext authzContext =
>>> keycloakSecurityContext.getAuthorizationContext();
>>> Thanks,Lucian
>>>
>>> On Tuesday, August 8, 2017, 10:25:35 AM CDT, Simon Payne <
>>> simonpayne58 at gmail.com> wrote:
>>>
>>> yes correct.
>>>
>>> there is a definite change in behavior with the addition of the
>>> keycloak.policy-enforcer-config.online-introspection=true flag, as
>>> without
>>> this single line in my property file it works correctly as a bearer only
>>> resource server. Addition of this line results in the incorrect call to
>>> token exchange endpoint.
>>>
>>> thanks
>>>
>>>
>>> On Tue, Aug 8, 2017 at 3:28 PM, Bill Burke <bburke at redhat.com> wrote:
>>>
>>> > Doesn't look like the switch is hooked up to anything. As it is, it
>>> > looks like this switch was added for RPT validation, not access token
>>> > validation, and not ever implemented. You just want the adapter to
>>> > validate the access token with the auth server for bearer token
>>> > requests, right?
>>> >
>>> >
>>> > On 8/8/17 9:29 AM, Bill Burke wrote:
>>> > > I'm looking at the code on server and I dont' see that it requires
>>> any
>>> > > special switch to use it. The endpoint is:
>>> > >
>>> > > @Post
>>> > >
>>> > > /auth/realms/{realm}/protocol/openid-connect/token/introspect
>>> > >
>>> > > Takes form params.
>>> > >
>>> > > token
>>> > >
>>> > > token_type_hint (optional and defaults to "access_token")
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > On 8/8/17 4:31 AM, Simon Payne wrote:
>>> > >> after some debugging i figured that
>>> > >> keycloak.policy-enforcer-config.online-introspection=true switched
>>> on
>>> > this
>>> > >> functionality, however it appears to error on a 400 after making a
>>> call
>>> > to
>>> > >> the /auth/realms/master/protocol/openid-connect/token endpoint.
>>> > >>
>>> > >> I'm assuming this is a bug?
>>> > >>
>>> > >> Thanks
>>> > >>
>>> > >>
>>> > >>
>>> > >> On Mon, Aug 7, 2017 at 3:10 PM, Simon Payne <simonpayne58 at gmail.com
>>> >
>>> > wrote:
>>> > >>
>>> > >>> Hi All,
>>> > >>>
>>> > >>> I'm evaluating keycloak and i'm currently looking at token
>>> > introspection.
>>> > >>>
>>> > >>> I've managed to achieve this manually, i.e. by sending a post via
>>> > postman,
>>> > >>> but i'm unable to figure out whether this can be achieved via the
>>> > keycloak
>>> > >>> adapters, specifically spring boot.
>>> > >>>
>>> > >>> any help in this area would be appreciated.
>>> > >>>
>>> > >>> thanks
>>> > >>>
>>> > >>> Simon.
>>> > >>>
>>> > >> _______________________________________________
>>> > >> keycloak-user mailing list
>>> > >> keycloak-user at lists.jboss.org
>>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> > > _______________________________________________
>>> > > keycloak-user mailing list
>>> > > keycloak-user at lists.jboss.org
>>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
More information about the keycloak-user
mailing list