[keycloak-user] OAuth2 token introspection requires an active session?
Marek Posolda
mposolda at redhat.com
Tue May 2 08:23:45 EDT 2017
Yes. I've just changed link kind "Caused by" to "related to" .
Thanks!
Marek
On 02/05/17 13:33, Iván Perdomo wrote:
> Hi Marek,
>
> I created the issue and link it to the one you mentioned (not completely
> sure if the link is correct).
>
> https://issues.jboss.org/browse/KEYCLOAK-4829
>
> Thanks,
>
> On 05/02/2017 12:34 PM, Marek Posolda wrote:
>> This looks like a bug. Could you please create JIRA with the info you
>> mentioned here? Please also link your new JIRA with
>> https://issues.jboss.org/browse/KEYCLOAK-4521, which is quite similar
>> issue.
>>
>> Marek
>>
>> On 28/04/17 09:51, Iván Perdomo wrote:
>>> Hi all,
>>>
>>> We're trying to use offline access [1] to retrieve access_tokens on
>>> behalf of the user and access a protected resource in a long running
>>> process.
>>>
>>> This protected resource checks the validity of the access_token using
>>> the OAuth2 token introspection.
>>>
>>> In our tests we found that the introspection flag "active" true|false
>>> depends on having an active session in the server. Which seems to defeat
>>> the purpose of the offline access capabilities.
>>>
>>> I have tested with versions 2.5.5.Final and 3.0.0.Final and the behavior
>>> is the same.
>>>
>>> * Get an offline token via direct grants
>>> * Get an access_token using the offline_token
>>> * We have an active session
>>> * Use the token introspection for the access_token and get the expected
>>> result: active=true
>>> * Wait for SSO Idle timeout (so the session expires)
>>> * Get a new access_token using the "stored" offline_token
>>> * Use the token introspection with the new access_token. Keycloak
>>> returns active=false because we don't have a session. But the
>>> access_token is valid, and not expired.
>>>
>>> The following code repository has an isolated test case of this scenario:
>>>
>>> https://github.com/iperdomo/keycloak-oauth2-instrospection
>>>
>>> The described steps are in this script:
>>>
>>> https://github.com/iperdomo/keycloak-oauth2-instrospection/blob/master/test.sh
>>>
>>>
>>> I tried to look for logged issues regarding token introspection and
>>> didn't found anything related to this problem.
>>>
>>> Is this a bug or an expected behavior?
>>>
>>> [1]
>>> https://keycloak.gitbooks.io/documentation/server_admin/topics/sessions/offline.html
>>>
>>>
>>> Thanks for your support.
>>>
More information about the keycloak-user
mailing list