Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-19184

Requesting Party Token introspection does not work with Protection API Access Token

    XMLWordPrintable

Details

    • Bug
    • Status: Triage
    • Major
    • Resolution: Unresolved
    • 15.0.2
    • None
    • Authorization Services
    • None
    • Hide
      1. Acquire a Protection API Access Token (PAT).
      2. Acquire a Requesting Party Token (RPT).
      3. Attempt to introspect the RPT using the token introspection endpoint using the PAT as a Bearer token for authentication.

      For example:

      curl -X POST \
          -H "Authorization: Bearer ${PAT}" \
          -H "Content-Type: application/x-www-form-urlencoded" \
          -d 'token_type_hint=requesting_party_token&token=${RPT}' \
          "http://localhost:8080/auth/realms/hello-world-authz/protocol/openid-connect/token/introspect"
      
      Show
      Acquire a Protection API Access Token (PAT). Acquire a Requesting Party Token (RPT). Attempt to introspect the RPT using the token introspection endpoint using the PAT as a Bearer token for authentication. For example: curl -X POST \ -H "Authorization: Bearer ${PAT}" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d 'token_type_hint=requesting_party_token&token=${RPT}' \ "http://localhost:8080/auth/realms/hello-world-authz/protocol/openid-connect/token/introspect"
    • NEW
    • NEW
    • ---
    • ---

    Description

      A Requesting Party Token (RPT) can be introspected using the regular OIDC token introspection endpoint with HTTP Basic authentication, as demonstrated in the Authorization Services Guide.

      However, Federated Authorization for User-Managed Access (UMA) 2.0 specifies that a Protection API Access Token (PAT, Bearer token with scope uma_protection) is used for this. Attempting to use a PAT for introspecting an RPT yields:

      10:21:20,489 WARN  [org.keycloak.events] (default task-5) type=INTROSPECT_TOKEN_ERROR, realmId=realm, clientId=null, userId=null, ipAddress=xxx.xxx.xxx.xxx, error=invalid_request, detail='Authentication failed.'
      

      Attached are DEBUG logs from Keycloak 14.0, but I have confirmed that this is still an issue in Keycloak 15.0.2.

      There seems to be a related feature request KEYCLOAK-2293 to allow token introspection with bearer tokens, but that has been closed and this issue is specifically for compatibility with UMA 2.0 Federation.

      Attachments

        Activity

          People

            Unassigned Unassigned
            thsnr Tiit Pikma (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: