https://www.ory.sh/ logo
Join Slack
Powered by
This message was deleted.
# general
m
This message was deleted.
h
Not sure if you know this, but 
active:false
means any number of things can be off IMO • the token itself • client ID • client secret • scopes? It gives no specific error. The Keycloak error might even suggest Basic auth being wrong here? I recommend you double check everything. Maybe you can remove scopes at first to get it working as well Basically it should respond with something like
Copy code
{
  "active": true,
...
  "aud": "90241daf...",
  "sub": "3c95ed...",
  "exp": 166...,
  "iat": 1665...,
  "iss": "htt...",
  "client_id": "90241daf..."
}
q
ok will take a look.
thank you for your response...i was confused because when i call the curl command from the command line the reponse is a 200 with that payload resp
but if oath keeper calls it then its a straight 401
I turned off fine grained authorization in keycloak and go this as the response....
Copy code
{
  "exp": 1666213458,
  "iat": 1666211658,
  "jti": "6f26e6b4-d8f3-409d-9ed1-2f9487f2d4a9",
  "iss": "<http://keycloak-http.keycloak:80/auth/realms/testrealm>",
  "aud": [
    "testclient",
    "account"
  ],
  "sub": "2c51554d-5fa6-42bc-886e-b569a07f14fd",
  "typ": "Bearer",
  "azp": "testclient",
  "session_state": "fe2238ce-a47d-4fea-9b4d-e24c330a362f",
  "name": "Test User",
  "given_name": "Test",
  "family_name": "User",
  "preferred_username": "testuser",
  "email": "<mailto:test@gmail.com|test@gmail.com>",
  "email_verified": true,
  "acr": "1",
  "allowed-origins": [
    "*"
  ],
  "realm_access": {
    "roles": [
      "offline_access",
      "uma_authorization",
      "testrole",
      "default-roles-testrealm"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "testclientscope email profile",
  "sid": "fe2238ce-a47d-4fea-9b4d-e24c330a362f",
  "client_id": "testclient",
  "username": "testuser",
  "active": true
}
then on calling the oath keeper endpoint...
Oahtkeeper gets a 401 for this curl command. I reafactored the oathkeeper go code to get the curl command that is is the same as the golang code https://github.com/ory/oathkeeper/blob/f96f2bee4f4636d3e2a0feded0c444078f97a237/pipeline/authn/authenticator_oauth2_introspection.go#L210 ~
Copy code
curl -X 'POST' -d 'client_id=testclient&scope=profile+email&token=SOMEACCESS_TOKEN' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Token_type_hint: requesting_party_token' '<http://keycloak-http.keycloak:80/auth/realms/testrealm/protocol/openid-connect/token/introspect>'
When I take the command that I have added in the oathkeeper logs I execute that and it returns fine...
So not sure why keycloak is throwing a 401 for the go code running via oathkeeper and for the equivalent curl command keycloak is sending a 200.
3 Views
Open in Slack
PreviousNext
Powered by