ferrerojosh
BearerOnly TokenValidation.ONLINE
I am passing a token that I generate from a service account - however when I pass the token with the setting TokenValidation.ONLINE it fails
WARN [Keycloak] Cannot validate access token: Error: 401:Unauthorized
I have the correct token created - how in the API does it validate the token ? Currently I'm forced to use OFFLINE
It actually sends a request to your auth server:
https://github.com/ferrerojosh/nest-keycloak-connect/blob/51e78e64d14040b803b8123bd03c397fc044dba1/src/guards/auth.guard.ts#L105-L147
From keycloak-nodejs-connect itself:
https://github.com/keycloak/keycloak-nodejs-connect/blob/773e95a2fd8b4046cb22f6e3d55853169a81e9a8/middleware/auth-utils/grant-manager.js#L259-L281
I do not know how the tokens in service accounts work. If you're using it for service to service communications (in a microservice cluster), most just disable validation altogether.
if you want to know the library is calling the introspect endpoint so have it work by calling it yourself first:
alternatively if you call the user info instead you will get a valid token for bearer only
@sgentile what you should do is open 2 keycloak clients one public for frontend and second bearer only with a secret. a backend server will verify tokens by using the bearer only client and it's secret. you can manually test it calling the introspect endpoint
Running into very same issue today.
After digging to the code which @ferrerojosh and @satanshiro mentioned, I try to calling intropection url from postman and realised that client_secret is required parameter to introspect the token.
In my case, keycloak.json generated from keycloak admin console not included the secret key. After I insert secret key into keycloak.json, TokenValidation.ONLINE works.
"credentials": { "secret": "PoSwifX1Txxxxxxxxxxxxxxxxxx" // "your client secret here" },
