You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Instead, it accepts the resource server's client credentials.
I believe the RPT introspection should use the PAT for introspection. The UMA 2.0 specification says:
Introspect the RPT at the authorization server using the OAuth token introspection endpoint (defined in [RFC7662]
and this section) that is part of the protection API
and
Protection API Summary
Use of these endpoints assumes that the resource server has acquired OAuth client credentials from the authorization server by static or dynamic means, and has a valid PAT. Note: Although the resource identifiers that appear in permission and token introspection request messages could sufficiently identify the resource owner, the PAT is still required because it represents the resource owner's authorization to use the protection API, as noted in Section 1.3.
The RPT introspection is part of the protection API and the protection APi is protected using the PAT. Therefore the RPT introspection should be protected using the PAT as far as I understand.
Before reporting an issue
Area
authentication
Describe the bug
Keycloak does not accept the PAT as authentication for the UMA introspection API. This fails with a 401:
Instead, it accepts the resource server's client credentials.
I believe the RPT introspection should use the PAT for introspection. The UMA 2.0 specification says:
and
The RPT introspection is part of the protection API and the protection APi is protected using the PAT. Therefore the RPT introspection should be protected using the PAT as far as I understand.
See the example in the specification:
Version
25.0
Regression
Expected behavior
UMA 2.0 RPT introspection should accept the AT for authentication.
Actual behavior
Using the PAT for RPT introspection fails with 401:
How to Reproduce?
I can provide a working lab if needed.
Anything else?
No response
The text was updated successfully, but these errors were encountered: