[keycloak-user] Issue with OAuth token introspection

Jason B jason at naidmincloud.com
Thu May 11 09:35:46 EDT 2017 

I see that this behavior is due to the logic implemented in
TokenVerifier.java
<https://github.com/keycloak/keycloak/blob/ca3691e650464816f435e361c071ff678ffe1f01/core/src/main/java/org/keycloak/TokenVerifier.java>
class
https://github.com/keycloak/keycloak/blob/ca3691e650464816f435e361c071ff678ffe1f01/services/src/main/java/org/keycloak/protocol/oidc/AccessTokenIntrospectionProvider.java
<http://AccessTokenIntrospectionProvider.java>

In TokenVerifier class it is checking whether the issuer of the access
token and accessed realm URL or same or not. To achieve my use case I want
to disable the "checkRealmUrl=truel" flag in that class. That means to
initialize the checkRealmUrl variable as "false". This will solve my issue.

But I want to understand am I making any compromise on confidentiality and
integrity of the access token. Would like to hear your opinions on this.
Please let me know your thoughts.

- J

On Thu, May 11, 2017 at 3:06 AM, Jason B <jason at naidmincloud.com> wrote:

> Hello All,
>
> I am having an issue with OAuth token introspection. Our Keycloak service
> is accessible with two different host names.
>
> For example access-external.naidm.com & acess-internal.naidm.com
>
> As an end user when I am obtaining the OAuth token through
> access-external.naidm.com and passing it to the resource server and
> resource server trying to inspect the token through
> access-internal.naidm.com token introspection is failing and we are
> always getting {"active": false} irrespective of whether issued token is
> valid or not.
>
> If we try to validate the OAuth token through access-external.naimd.com
> endpoint introspection is succeeding. So we arrived at a conclusion that
> same endpoint (with same FQDN) need to be used for obtaining and
> introspecting an OAuth token. Also, we noticed that tokens issued over
> HTTPS protocol can't be validated over HTTP protocol and vice versa. We are
> not concerned about HTTP but we are concerned about the why introspection
> is failing with different FQDN end points.
>
> BTW, we are using Keycloak 3.1 CR1. Any thoughts on why Keycloak behaving
> this way? Is there any way we can change this behavior? Please share your
> thoughts on this.
>
> - J
>

More information about the keycloak-user mailing list