[keycloak-user] OAuth2 token introspection requires an active session?

Stian Thorgersen sthorger at redhat.com
Wed May 3 09:47:36 EDT 2017


Marek - isn't the offline session recovered at startup so there will be an
active session for offline tokens as well right?

On 2 May 2017 at 14:23, Marek Posolda <mposolda at redhat.com> wrote:

> Yes. I've just changed link kind "Caused by" to "related to" .
>
> Thanks!
> Marek
>
> On 02/05/17 13:33, Iván Perdomo wrote:
> > Hi Marek,
> >
> > I created the issue and link it to the one you mentioned (not completely
> > sure if the link is correct).
> >
> > https://issues.jboss.org/browse/KEYCLOAK-4829
> >
> > Thanks,
> >
> > On 05/02/2017 12:34 PM, Marek Posolda wrote:
> >> This looks like a bug. Could you please create JIRA with the info you
> >> mentioned here? Please also link your new JIRA with
> >> https://issues.jboss.org/browse/KEYCLOAK-4521, which is quite similar
> >> issue.
> >>
> >> Marek
> >>
> >> On 28/04/17 09:51, Iván Perdomo wrote:
> >>> Hi all,
> >>>
> >>> We're trying to use offline access [1] to retrieve access_tokens on
> >>> behalf of the user and access a protected resource in a long running
> >>> process.
> >>>
> >>> This protected resource checks the validity of the access_token using
> >>> the OAuth2 token introspection.
> >>>
> >>> In our tests we found that the introspection flag "active" true|false
> >>> depends on having an active session in the server. Which seems to
> defeat
> >>> the purpose of the offline access capabilities.
> >>>
> >>> I have tested with versions 2.5.5.Final and 3.0.0.Final and the
> behavior
> >>> is the same.
> >>>
> >>> * Get an offline token via direct grants
> >>> * Get an access_token using the offline_token
> >>> * We have an active session
> >>> * Use the token introspection for the access_token and get the expected
> >>> result: active=true
> >>> * Wait for SSO Idle timeout (so the session expires)
> >>> * Get a new access_token using the "stored" offline_token
> >>> * Use the token introspection with the new access_token. Keycloak
> >>> returns active=false because we don't have a session. But the
> >>> access_token is valid, and not expired.
> >>>
> >>> The following code repository has an isolated test case of this
> scenario:
> >>>
> >>> https://github.com/iperdomo/keycloak-oauth2-instrospection
> >>>
> >>> The described steps are in this script:
> >>>
> >>> https://github.com/iperdomo/keycloak-oauth2-
> instrospection/blob/master/test.sh
> >>>
> >>>
> >>> I tried to look for logged issues regarding token introspection and
> >>> didn't found anything related to this problem.
> >>>
> >>> Is this a bug or an expected behavior?
> >>>
> >>> [1]
> >>> https://keycloak.gitbooks.io/documentation/server_admin/
> topics/sessions/offline.html
> >>>
> >>>
> >>> Thanks for your support.
> >>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list