Introspection Endpoint of KeyCloak server

About

Asked 2/7, 2018 at 9:16 Answered 2/7, 2018 at 10:55

I am trying to explore features of KeyCloak server and want to get information about access token by using /openid-connect/token/introspect endpoint.

So, I am sending next request to this endpoint

curl -v --data "token_type_hint=access_token&client_id=product- 
app&username=user&token=MY ACCESS TOKEN" 
http://localhost:8080/auth/realms/springdemo/protocol/openid- 
connect/token/introspect

So this is what I have as a response:

{"error":"invalid_request","error_description":"Client not allowed."}* 
Connection #0 to host localhost left intact

and this is what I see in KeyCloak's logs:

12:00:18,045 WARN  [org.keycloak.events] (default task-13) 
type=INTROSPECT_TOKEN                                     _ERROR, 
realmId=springdemo, clientId=product-app, userId=null, ipAddress=127.0.0                                     
.1, error=invalid_request, detail='Client not allowed.', 
client_auth_method=client-secret

So, I can't get it - how should I properly make request to keycloak in this case regarding that product-app has public access. Please, explain!

Sweated answered 2/7, 2018 at 9:16 Comment(0)

It seems like you are not able to use /openid-connect/token/introspect endpoint when your client has public access type.

So, switch to the CONFIDENTIAL ACCESS TYPE and use

curl -v --data "client_secret=YOUR_SECRET9&client_id=product- 
app&username=user&token=YOUR_TOKEN" 
http://localhost:8080/auth/realms/springdemo/protocol/openid- 
connect/token/introspect

It works fine.

Sweated answered 2/7, 2018 at 10:55 Comment(6)

Is it posible access to introspect endpoint from the front app client?, using fetch it gives me this error Access to fetch at 'localhost:8180/auth/realms/backoffice/protocol/openid-connect/…' from origin 'localhost:8080' has been blocked by CORS policy: ..., set the request's mode to 'no-cors' to fetch the resource with CORS disabled. – Adjacency 13/1, 2021 at 19:46

So did you then also end up putting YOUR_SECRET in the product-app? I am dealing with a similar situation where I actually need the public access type for my SPA, but still want to introspect tokens in the backend... – Romanticize 25/10, 2021 at 19:53

@Adjacency Did you find a solutions to the CORS issue. I am stuck with the same.. – Ineludible 11/6, 2022 at 10:40

This answer is very useful! I want to do the same, however, I have a public client.. Is there no way to do this against a public client ? maybe create an admin user ? and provide that credentials as basic auth – Aragonite 9/9, 2022 at 10:46

@Adjacency add the origin of the frontend app eg localhost:8080 in the client setting in the keycloak admin console. The list of origins specified are the allowed origins for which you won't get CORS error. – Vespucci 25/10, 2022 at 12:42

Keycloak JS Client only allow public client (see link below). So it is not the option to set client to confidential access type. Does anyone have answer when you want to use kecloak JS client, then need to use introspect which protect the backend API? keycloak.discourse.group/t/… – Fieldpiece 2/1, 2023 at 15:38

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags