22

I am trying to explore features of KeyCloak server and want to get information about access token by using /openid-connect/token/introspect endpoint.

So, I am sending next request to this endpoint

curl -v --data "token_type_hint=access_token&client_id=product- 
app&username=user&token=MY ACCESS TOKEN" 
http://localhost:8080/auth/realms/springdemo/protocol/openid- 
connect/token/introspect

So this is what I have as a response:

{"error":"invalid_request","error_description":"Client not allowed."}* 
Connection #0 to host localhost left intact

and this is what I see in KeyCloak's logs:

12:00:18,045 WARN  [org.keycloak.events] (default task-13) 
type=INTROSPECT_TOKEN                                     _ERROR, 
realmId=springdemo, clientId=product-app, userId=null, ipAddress=127.0.0                                     
.1, error=invalid_request, detail='Client not allowed.', 
client_auth_method=client-secret

So, I can't get it - how should I properly make request to keycloak in this case regarding that product-app has public access. Please, explain!

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
Alfred Moon
  • 987
  • 1
  • 10
  • 21

1 Answers1

36

It seems like you are not able to use /openid-connect/token/introspect endpoint when your client has public access type.

So, switch to the CONFIDENTIAL ACCESS TYPE and use

curl -v --data "client_secret=YOUR_SECRET9&client_id=product- 
app&username=user&token=YOUR_TOKEN" 
http://localhost:8080/auth/realms/springdemo/protocol/openid- 
connect/token/introspect

It works fine.

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
Alfred Moon
  • 987
  • 1
  • 10
  • 21
  • 1
    Is it posible access to introspect endpoint from the front app client?, using fetch it gives me this error _Access to fetch at 'http://localhost:8180/auth/realms/backoffice/protocol/openid-connect/token/introspect' from origin 'http://localhost:8080' has been blocked by CORS policy: ..., set the request's mode to 'no-cors' to fetch the resource with CORS disabled._ – Hector Jan 13 '21 at 19:46
  • 3
    So did you then also end up putting `YOUR_SECRET` in the `product-app`? I am dealing with a similar situation where I actually need the public access type for my SPA, but still want to introspect tokens in the backend... – Jan-Willem Gmelig Meyling Oct 25 '21 at 19:53
  • @Hector Did you find a solutions to the CORS issue. I am stuck with the same.. – User3250 Jun 11 '22 at 10:40
  • This answer is very useful! I want to do the same, however, I have a public client.. Is there no way to do this against a public client ? maybe create an admin user ? and provide that credentials as basic auth – thahgr Sep 09 '22 at 10:46
  • @Hector add the origin of the frontend app eg localhost:8080 in the client setting in the keycloak admin console. The list of origins specified are the allowed origins for which you won't get CORS error. – Shekhar Sahu Oct 25 '22 at 12:42
  • Keycloak JS Client only allow public client (see link below). So it is not the option to set client to confidential access type. Does anyone have answer when you want to use kecloak JS client, then need to use introspect which protect the backend API? https://keycloak.discourse.group/t/keycloak-js-client-and-confidential-clients/10063 – user1012131 Jan 02 '23 at 15:38