[keycloak-user] OAuth2 token introspection requires an active session?
Iván Perdomo
ivan at akvo.org
Tue May 2 07:33:20 EDT 2017
Hi Marek,
I created the issue and link it to the one you mentioned (not completely
sure if the link is correct).
https://issues.jboss.org/browse/KEYCLOAK-4829
Thanks,
On 05/02/2017 12:34 PM, Marek Posolda wrote:
> This looks like a bug. Could you please create JIRA with the info you
> mentioned here? Please also link your new JIRA with
> https://issues.jboss.org/browse/KEYCLOAK-4521, which is quite similar
> issue.
>
> Marek
>
> On 28/04/17 09:51, Iván Perdomo wrote:
>> Hi all,
>>
>> We're trying to use offline access [1] to retrieve access_tokens on
>> behalf of the user and access a protected resource in a long running
>> process.
>>
>> This protected resource checks the validity of the access_token using
>> the OAuth2 token introspection.
>>
>> In our tests we found that the introspection flag "active" true|false
>> depends on having an active session in the server. Which seems to defeat
>> the purpose of the offline access capabilities.
>>
>> I have tested with versions 2.5.5.Final and 3.0.0.Final and the behavior
>> is the same.
>>
>> * Get an offline token via direct grants
>> * Get an access_token using the offline_token
>> * We have an active session
>> * Use the token introspection for the access_token and get the expected
>> result: active=true
>> * Wait for SSO Idle timeout (so the session expires)
>> * Get a new access_token using the "stored" offline_token
>> * Use the token introspection with the new access_token. Keycloak
>> returns active=false because we don't have a session. But the
>> access_token is valid, and not expired.
>>
>> The following code repository has an isolated test case of this scenario:
>>
>> https://github.com/iperdomo/keycloak-oauth2-instrospection
>>
>> The described steps are in this script:
>>
>> https://github.com/iperdomo/keycloak-oauth2-instrospection/blob/master/test.sh
>>
>>
>> I tried to look for logged issues regarding token introspection and
>> didn't found anything related to this problem.
>>
>> Is this a bug or an expected behavior?
>>
>> [1]
>> https://keycloak.gitbooks.io/documentation/server_admin/topics/sessions/offline.html
>>
>>
>> Thanks for your support.
>>
>
--
Iván
More information about the keycloak-user
mailing list