Keycloak:验证访问令牌并获取Keycloak ID [英] Keycloak: Validate access token and get keycloak ID

问题描述

我需要能够执行以下操作(使用普通的cURL& JSON服务器端-没有框架或Java):

I need to be able to do the following (with plain cURL & JSON server-side- no frameworks or Java):

1. 使用由第三方提供的Keycloak访问令牌的字符串表示形式来验证该令牌是否有效.

1. Use a string representation of a Keycloak access token I have been given by a 3rd party to verify that the token is valid.

如果令牌有效，请获取该用户的Keycloak ID.

If the token is valid, get the Keycloak ID for that user.

如何使用普通的旧HTTP帖子执行此操作?我找到了很多Java示例，但是我需要了解下面的原始HTTP POST和响应.

How do I do this using plain old HTTP posts? I've found lots of Java examples but I need to know the raw HTTP POSTs and responses underneath.

是这样的事情来验证令牌吗?

Is it something like this to validate the token?

/auth/realms/<realm>/protocols/openid-connect/validate?access_token=accesstokenhere

就数据而言，这返回了什么(对不起，我目前没有可查询的测试服务器)?

What does this return in terms of data (sorry I currently have no test server to interrogate)?

谢谢.

推荐答案

validate端点现在似乎无法正常工作.它用于返回访问令牌.我现在正在使用密钥斗篷2.5.1.如Matyas的帖子所述(以及帖子由他引用)，必须使用 introspect 令牌端点

The validate endpoint does not seem to work now. It used to return access token. I am using the keycloak 2.5.1 now. As mentioned in post by Matyas (and in the post referenced by him), had to use introspect token endpoint.

在我的测试中，承载身份验证不起作用.必须将基本身份验证标头与base64编码的客户端凭据一起使用.

In my testing Bearer authentication did not work. Had to use Basic authentication header along with base64 encoded client credentials.

base64.encode("<client_id:client_secret>".getBytes("utf-8"))

自省端点的响应为Maytas引用的帖子中所共享的JSON格式，其中有许多基于自省令牌类型的字段.在我的情况下， token_type_hint 被设置为 access_token .

The response from introspect endpoint is in JSON format as shared in post referenced by Maytas, has many fields based on type of token being introspected. In my case token_type_hint was set as access_token.

requestParams = "token_type_hint=access_token&token=" + accessToken

响应中包含必需的用户详细信息，例如用户名，角色和资源访问权限.还包括OAuth授权的属性，例如active，exp，iss等.有关详细信息，请参见rfc7662#page-6.

The response included required user details like username, roles and resource access. Also included OAuth mandated attributes like active, exp, iss etc. See rfc7662#page-6 for details.

这篇关于Keycloak:验证访问令牌并获取Keycloak ID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！