Keycloak cannot verify user information with a valid token

Question

I'm setting up Keycloak as an authentication server https://github.com/keycloak/keycloak/releases/download/12.0.0/keycloak-12.0.0.zip

Java 11

Documentation: https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/oidc-generic.adoc

I can generate the access_token via /realms/{realm-name}/protocol/openid-connect/token

but I cannot call the userinfo endpoint /realms/{realm-name}/protocol/openid-connect/userinfo using a valid access_token which I get from the first API.

POST http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/token

 {
     client_secret: ...,
     grant_type: ...,
     client_id: ...,
 }

response

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxOE..."
    "expires_in": 3600,
    "refresh_expires_in": 0,
    "token_type": "Bearer",
    "not-before-policy": 0,
    "scope": "create"
}

But here is the result when I call the get user info API

GET http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/userinfo Header: Bearer ${access_token}

Are there any suggestions?

Thank you

Post man test

Keycloak server's log is same

Keycloak bug I think this is an issue on KC 12.0 When I use KC 11.0.3, above APIs work fine https://github.com/keycloak/keycloak-community/issues/224

The Jira story:

https://issues.redhat.com/browse/KEYCLOAK-17217

Yep, it was a regression added with 12.0.0 I have tested with difference versions as well and only fails with 12.0.x — dreamcrash, Jan 30 '21 at 10:51

dreamcrash · Answer 1 · 2021-04-07T15:17:29.013

Make sure you are calling the endpoint as follows.

First getting the token:

curl -d "client_id=$YOUR_CLIENT_ID" \
     -d "client_secret=$YOUR_CLIENT_SECRET" \
     -d "grant_type=client_credentials" \
                    http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/token)

Extract from the JSON response the access_token field (e.g., jq -r .access_token)

Then call the userinfo as follows:

curl -X GET http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/userinfo \
                -H "Content-Type: application/json" \
                -H "Authorization: Bearer $ACCESS_TOKEN"

With Postman:

For a setup with Realm Name = "test", client_id = "test", client_secret = "63b61af0-5a99-41d7-8f9b-4e3059b8b9ab" and using client_credentials grant_type.

Getting the token:

and getting the userinfo:

EDIT

The approach below works with Keycloak 10.0.x, and 11.0.x, but gets exactly the same issues as OP's for the version Keycloak 12.0.x (including the latest release Keycloak 12.0.2).

This seams to be regression added with Keycloak 12.0.0 follow this issue for update information.

Apparently that issue was closed in favor of this one. https://issues.redhat.com/browse/KEYCLOAK-17217 — Martin01478, Apr 07 '21 at 15:14
@Martin01478 thanks for the comment, what happen is that the thread where the issue was posted was not the best one, so they move as a jira story. I will update actually the answer — dreamcrash, Apr 07 '21 at 15:17
Both links are dead or behind a permission wall: `You can't view this issue`. Glad I had to register a RedHat account for that. — Torxed, Apr 22 '23 at 15:40

Keycloak cannot verify user information with a valid token

1 Answers1