Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UMA 2.0 RPT introspection does not accept PAT #30780

Open
1 of 2 tasks
randomstuff opened this issue Jun 26, 2024 · 1 comment
Open
1 of 2 tasks

UMA 2.0 RPT introspection does not accept PAT #30780

randomstuff opened this issue Jun 26, 2024 · 1 comment
Labels
area/authentication Indicates an issue on Authentication area kind/bug Categorizes a PR related to a bug status/triage team/core-clients

Comments

@randomstuff
Copy link

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication

Describe the bug

Keycloak does not accept the PAT as authentication for the UMA introspection API. This fails with a 401:

{"error":"invalid_request","error_description":"Authentication failed."}

Instead, it accepts the resource server's client credentials.

I believe the RPT introspection should use the PAT for introspection. The UMA 2.0 specification says:

Introspect the RPT at the authorization server using the OAuth token introspection endpoint (defined in [RFC7662]
and this section) that is part of the protection API

and

Protection API Summary

Use of these endpoints assumes that the resource server has acquired OAuth client credentials from the authorization server by static or dynamic means, and has a valid PAT. Note: Although the resource identifiers that appear in permission and token introspection request messages could sufficiently identify the resource owner, the PAT is still required because it represents the resource owner's authorization to use the protection API, as noted in Section 1.3.

The RPT introspection is part of the protection API and the protection APi is protected using the PAT. Therefore the RPT introspection should be protected using the PAT as far as I understand.

See the example in the specification:

Example of the resource server's request to the authorization server for introspection of an RPT, with a PAT in the header:

POST /introspect HTTP/1.1
Host: as.example.com
Authorization: Bearer 204c69636b6c69 <= PAT
...
token=sbjsbhs(/SSJHBSUSSJHVhjsgvhsgvshgsv

Version

25.0

Regression

  • The issue is a regression

Expected behavior

UMA 2.0 RPT introspection should accept the AT for authentication.

Actual behavior

Using the PAT for RPT introspection fails with 401:

{"error":"invalid_request","error_description":"Authentication failed."}

How to Reproduce?

curl -D- -XPOST http:https://localhost:8180/realms/test/protocol/openid-connect/token/introspect \
    -H "Authorization: $pat" \
    -d "token=$rpt"

I can provide a working lab if needed.

Anything else?

No response
@randomstuff randomstuff added kind/bug Categorizes a PR related to a bug status/triage labels Jun 26, 2024
@keycloak-github-bot keycloak-github-bot bot added area/authentication Indicates an issue on Authentication area team/core-clients labels Jun 26, 2024
@randomstuff
Copy link
Author

See https://github.com/randomstuff/keycloak-uma-test (and test_rs_resource.py) for a test environment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/authentication Indicates an issue on Authentication area kind/bug Categorizes a PR related to a bug status/triage team/core-clients
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@randomstuff