[keycloak-user] OAuth token introspection

Jason B jason at naidmincloud.com
Thu Feb 9 13:40:48 EST 2017


Hi Stian,

Thanks for the response. I got the token_type issue. But when it comes to
scope I am still having questions.

According to the RFC , scope attribute is optional but shouldn't we
interpret as below?

   - During the initial handshake if the request  doesn't contain scope
   parameter then it will become optional in introspection response.
   - During the initial OAuth 2.0 handshake if the incoming request
   contains scope as query string parameter then it must present in
   introspection response with all granted scopes info.

Thanks!

On Fri, Feb 3, 2017 at 12:43 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> 1 looks like a bug and it simply has the wrong name.
>
> 2 scope is optional and we don't support this at the moment
>
> On 27 January 2017 at 05:52, Jason B <jason at naidmincloud.com> wrote:
>
>> Hi,
>>
>> I am trying to understand the OAuth 2.0 capabilities of Keycloak server
>> and
>> I have a few questions with respective to the implementation of OAuth
>> introspection spec.
>>
>> This is how a sample introspection response looking like
>>
>> {
>>   "jti": "7e0a2c4b-9725-432b-a0fd-594f21686108",
>>   "exp": 1485492229,
>>   "nbf": 0,
>>   "iat": 1485491929,
>>   "iss": "http://localhost:8080/auth/realms/nkadali",
>>   "aud": "proxy",
>>   "sub": "e89175d5-94fd-453a-8abb-9953d59d04cf",
>>   "typ": "Bearer",
>>   "azp": "proxy",
>>   "auth_time": 1485487408,
>>   "session_state": "c05ea410-6f0a-458d-9b2c-debafba732b7",
>>   "name": "",
>>   "preferred_username": "jason",
>>   "acr": "0",
>>   "client_session": "5d761332-97eb-404d-8624-3de4eca967cd",
>>   "allowed-origins": [],
>>   "realm_access": {
>>     "roles": [
>>       "uma_authorization"
>>     ]
>>   },
>>   "resource_access": {
>>     "account": {
>>       "roles": [
>>         "manage-account",
>>         "view-profile"
>>       ]
>>     }
>>   },
>>   "client_id": "proxy",
>>   "username": "jason",
>>   "active": true
>> }
>>
>>
>> I have two question based on this response.
>>
>>    1. According to the OAuth OAuth 2.0 Token Introspection (
>>    https://tools.ietf.org/html/rfc7662) the json response body may
>> contain
>>    "token_type" member. But why keycloak representing "token_type" as
>> "typ"?
>>    Is there any specific reason?
>>    2. I don't see any "scope" attribute in the response body even though I
>>    supplied scope parameter while requesting for the access token. Any
>> idea on
>>    how to get scopes associated with the supplied access token?
>>
>>
>> Thanks!
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


More information about the keycloak-user mailing list