Keycloak: Validate access token and get keycloak ID

纵饮孤独 提交于 2021-02-07 13:43:33

问题


I need to be able to do the following (with plain cURL & JSON server-side- no frameworks or Java):

  1. Use a string representation of a Keycloak access token I have been given by a 3rd party to verify that the token is valid.

  2. If the token is valid, get the Keycloak ID for that user.

How do I do this using plain old HTTP posts? I've found lots of Java examples but I need to know the raw HTTP POSTs and responses underneath.

Is it something like this to validate the token?

/auth/realms/<realm>/protocols/openid-connect/validate?access_token=accesstokenhere

What does this return in terms of data (sorry I currently have no test server to interrogate)?

Thanks.


回答1:


The validate endpoint does not seem to work now. It used to return access token. I am using the keycloak 2.5.1 now. As mentioned in post by Matyas (and in the post referenced by him), had to use introspect token endpoint.

In my testing Bearer authentication did not work. Had to use Basic authentication header along with base64 encoded client credentials.

base64.encode("<client_id:client_secret>".getBytes("utf-8"))

The response from introspect endpoint is in JSON format as shared in post referenced by Maytas, has many fields based on type of token being introspected. In my case token_type_hint was set as access_token.

requestParams = "token_type_hint=access_token&token=" + accessToken

The response included required user details like username, roles and resource access. Also included OAuth mandated attributes like active, exp, iss etc. See rfc7662#page-6 for details.




回答2:


Maybe you need this: http://lists.jboss.org/pipermail/keycloak-user/2016-April/005869.html

The only one problem is that, introspect is not working with public clients.

The key url is: "http://$KC_SERVER/$KC_CONTEXT/realms/$REALM/protocol/openid-connect/token/introspect"

You need to authorize your client e.g. with basic auth, and need to give the requester token to introspect:

curl -u "client_id:client_secret" -d "token=access_token_to_introspect" "http://$KC_SERVER/$KC_CONTEXT/realms/$REALM/protocol/openid-connect/token/introspect"


来源:https://stackoverflow.com/questions/38893059/keycloak-validate-access-token-and-get-keycloak-id

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!