[keycloak-user] Issue with OAuth token introspection
Jason B
jason at naidmincloud.com
Wed May 10 17:36:37 EDT 2017
Hello All,
I am having an issue with OAuth token introspection. Our Keycloak service
is accessible with two different host names.
For example access-external.naidm.com & acess-internal.naidm.com
As an end user when I am obtaining the OAuth token through
access-external.naidm.com and passing it to the resource server and
resource server trying to inspect the token through
access-internal.naidm.com token introspection is failing and we are always
getting {"active": false} irrespective of whether issued token is valid or
not.
If we try to validate the OAuth token through access-external.naimd.com
endpoint introspection is succeeding. So we arrived at a conclusion that
same endpoint (with same FQDN) need to be used for obtaining and
introspecting an OAuth token. Also, we noticed that tokens issued over
HTTPS protocol can't be validated over HTTP protocol and vice versa. We are
not concerned about HTTP but we are concerned about the why introspection
is failing with different FQDN end points.
BTW, we are using Keycloak 3.1 CR1. Any thoughts on why Keycloak behaving
this way? Is there any way we can change this behavior? Please share your
thoughts on this.
- J
More information about the keycloak-user
mailing list