Refresh token with Keycloak











up vote
1
down vote

favorite












I use JWT for Client Authentication in Keycloak:



 POST /token.oauth2 HTTP/1.1

 Host: as.example.com

 Content-Type: application/x-www-form-urlencoded



 grant_type=authorization_code&

 code=vAZEIHjQTHuGgaSvyW9hO0RpusLzkvTOww3trZBxZpo&

 client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A

 client-assertion-type%3Ajwt-bearer&

 client_assertion=eyJhbGciOiJSUzI1NiJ9.

 eyJpc3Mi[...omitted for brevity...].

 cC4hiUPo[...omitted for brevity...]


I get :



assess_token

refresh_token

token_type

expires_in


When I try to refresh token I send refresh_token itself, grant type refresh_token and get:



{
"error": "unauthorized_client",
"error_description": "INVALID_CREDENTIALS: Invalid client credentials"
}



when I specify client_id I get:



{
"error": "invalid_client",
"error_description": "Parameter client_assertion_type is missing"
}



If I specify client_assertion_type I get error that client_assertion itself is missing, so I literally have to provide parameters I provided when retrieved access token.



How that refreshing process actually should work?






oauth-2.0 keyboard openid openid-connect







share|improve this question


























    up vote
    1
    down vote

    favorite












    I use JWT for Client Authentication in Keycloak:



     POST /token.oauth2 HTTP/1.1
    
 Host: as.example.com
    
 Content-Type: application/x-www-form-urlencoded
    

    
 grant_type=authorization_code&
    
 code=vAZEIHjQTHuGgaSvyW9hO0RpusLzkvTOww3trZBxZpo&
    
 client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A
    
 client-assertion-type%3Ajwt-bearer&
    
 client_assertion=eyJhbGciOiJSUzI1NiJ9.
    
 eyJpc3Mi[...omitted for brevity...].
    
 cC4hiUPo[...omitted for brevity...]


    I get :



    assess_token
    
refresh_token
    
token_type
    
expires_in


    When I try to refresh token I send refresh_token itself, grant type refresh_token and get:



    {
    "error": "unauthorized_client",
    "error_description": "INVALID_CREDENTIALS: Invalid client credentials"
    }



    when I specify client_id I get:



    {
    "error": "invalid_client",
    "error_description": "Parameter client_assertion_type is missing"
    }



    If I specify client_assertion_type I get error that client_assertion itself is missing, so I literally have to provide parameters I provided when retrieved access token.



    How that refreshing process actually should work?






    oauth-2.0 keyboard openid openid-connect







    share|improve this question
























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I use JWT for Client Authentication in Keycloak:



       POST /token.oauth2 HTTP/1.1
      
 Host: as.example.com
      
 Content-Type: application/x-www-form-urlencoded
      

      
 grant_type=authorization_code&
      
 code=vAZEIHjQTHuGgaSvyW9hO0RpusLzkvTOww3trZBxZpo&
      
 client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A
      
 client-assertion-type%3Ajwt-bearer&
      
 client_assertion=eyJhbGciOiJSUzI1NiJ9.
      
 eyJpc3Mi[...omitted for brevity...].
      
 cC4hiUPo[...omitted for brevity...]


      I get :



      assess_token
      
refresh_token
      
token_type
      
expires_in


      When I try to refresh token I send refresh_token itself, grant type refresh_token and get:



      {
      "error": "unauthorized_client",
      "error_description": "INVALID_CREDENTIALS: Invalid client credentials"
      }



      when I specify client_id I get:



      {
      "error": "invalid_client",
      "error_description": "Parameter client_assertion_type is missing"
      }



      If I specify client_assertion_type I get error that client_assertion itself is missing, so I literally have to provide parameters I provided when retrieved access token.



      How that refreshing process actually should work?






      oauth-2.0 keyboard openid openid-connect







      share|improve this question













      I use JWT for Client Authentication in Keycloak:



       POST /token.oauth2 HTTP/1.1
      
 Host: as.example.com
      
 Content-Type: application/x-www-form-urlencoded
      

      
 grant_type=authorization_code&
      
 code=vAZEIHjQTHuGgaSvyW9hO0RpusLzkvTOww3trZBxZpo&
      
 client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A
      
 client-assertion-type%3Ajwt-bearer&
      
 client_assertion=eyJhbGciOiJSUzI1NiJ9.
      
 eyJpc3Mi[...omitted for brevity...].
      
 cC4hiUPo[...omitted for brevity...]


      I get :



      assess_token
      
refresh_token
      
token_type
      
expires_in


      When I try to refresh token I send refresh_token itself, grant type refresh_token and get:



      {
      "error": "unauthorized_client",
      "error_description": "INVALID_CREDENTIALS: Invalid client credentials"
      }



      when I specify client_id I get:



      {
      "error": "invalid_client",
      "error_description": "Parameter client_assertion_type is missing"
      }



      If I specify client_assertion_type I get error that client_assertion itself is missing, so I literally have to provide parameters I provided when retrieved access token.



      How that refreshing process actually should work?






      oauth-2.0 keyboard openid openid-connect




      oauth-2.0 keyboard openid openid-connect






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked yesterday









      Sergii Getman

      1,59011731




      1,59011731
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote



          accepted










          This could very well be a limitation or policy defined by Keycloak. RFC7523 (JWT for Client Authentication) does allow to enable client credentials when JWT authentication is present. This is highlighted from 3.1. Authorization Grant Processing




          JWT authorization grants may be used with or without client
          authentication or identification. Whether or not client
          authentication is needed in conjunction with a JWT authorization
          grant, as well as the supported types of client authentication, are
          policy decisions at the discretion of the authorization server.
          However, if client credentials are present in the request, the
          authorization server MUST validate them.




          So even if Keycloak support JWT client authentication, it may still require client credentials to be present in the refresh token request. But also, it could be a limitation from their end.



          Additionally, token refresh is defined through RFC6749 - The OAuth 2.0 Authorization Framework. According to it's section 6, refresh token request must contain client credentials when client is a confidential client (simply a client which was created with id and a password). If what you seen is not a limitation, then guess Keycloak adhere to RFC6749 and require you to send client credentials in token refresh request.






          share|improve this answer



















          • 1




            yes, unfortunately client type is confidential and force us sending all creds. thanks a lot!
            – Sergii Getman
            yesterday











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














           

          draft saved


          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53372454%2frefresh-token-with-keycloak%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          1
          down vote



          accepted










          This could very well be a limitation or policy defined by Keycloak. RFC7523 (JWT for Client Authentication) does allow to enable client credentials when JWT authentication is present. This is highlighted from 3.1. Authorization Grant Processing




          JWT authorization grants may be used with or without client
          authentication or identification. Whether or not client
          authentication is needed in conjunction with a JWT authorization
          grant, as well as the supported types of client authentication, are
          policy decisions at the discretion of the authorization server.
          However, if client credentials are present in the request, the
          authorization server MUST validate them.




          So even if Keycloak support JWT client authentication, it may still require client credentials to be present in the refresh token request. But also, it could be a limitation from their end.



          Additionally, token refresh is defined through RFC6749 - The OAuth 2.0 Authorization Framework. According to it's section 6, refresh token request must contain client credentials when client is a confidential client (simply a client which was created with id and a password). If what you seen is not a limitation, then guess Keycloak adhere to RFC6749 and require you to send client credentials in token refresh request.






          share|improve this answer



















          • 1




            yes, unfortunately client type is confidential and force us sending all creds. thanks a lot!
            – Sergii Getman
            yesterday















          up vote
          1
          down vote



          accepted










          This could very well be a limitation or policy defined by Keycloak. RFC7523 (JWT for Client Authentication) does allow to enable client credentials when JWT authentication is present. This is highlighted from 3.1. Authorization Grant Processing




          JWT authorization grants may be used with or without client
          authentication or identification. Whether or not client
          authentication is needed in conjunction with a JWT authorization
          grant, as well as the supported types of client authentication, are
          policy decisions at the discretion of the authorization server.
          However, if client credentials are present in the request, the
          authorization server MUST validate them.




          So even if Keycloak support JWT client authentication, it may still require client credentials to be present in the refresh token request. But also, it could be a limitation from their end.



          Additionally, token refresh is defined through RFC6749 - The OAuth 2.0 Authorization Framework. According to it's section 6, refresh token request must contain client credentials when client is a confidential client (simply a client which was created with id and a password). If what you seen is not a limitation, then guess Keycloak adhere to RFC6749 and require you to send client credentials in token refresh request.






          share|improve this answer



















          • 1




            yes, unfortunately client type is confidential and force us sending all creds. thanks a lot!
            – Sergii Getman
            yesterday













          up vote
          1
          down vote



          accepted







          up vote
          1
          down vote



          accepted






          This could very well be a limitation or policy defined by Keycloak. RFC7523 (JWT for Client Authentication) does allow to enable client credentials when JWT authentication is present. This is highlighted from 3.1. Authorization Grant Processing




          JWT authorization grants may be used with or without client
          authentication or identification. Whether or not client
          authentication is needed in conjunction with a JWT authorization
          grant, as well as the supported types of client authentication, are
          policy decisions at the discretion of the authorization server.
          However, if client credentials are present in the request, the
          authorization server MUST validate them.




          So even if Keycloak support JWT client authentication, it may still require client credentials to be present in the refresh token request. But also, it could be a limitation from their end.



          Additionally, token refresh is defined through RFC6749 - The OAuth 2.0 Authorization Framework. According to it's section 6, refresh token request must contain client credentials when client is a confidential client (simply a client which was created with id and a password). If what you seen is not a limitation, then guess Keycloak adhere to RFC6749 and require you to send client credentials in token refresh request.






          share|improve this answer














          This could very well be a limitation or policy defined by Keycloak. RFC7523 (JWT for Client Authentication) does allow to enable client credentials when JWT authentication is present. This is highlighted from 3.1. Authorization Grant Processing




          JWT authorization grants may be used with or without client
          authentication or identification. Whether or not client
          authentication is needed in conjunction with a JWT authorization
          grant, as well as the supported types of client authentication, are
          policy decisions at the discretion of the authorization server.
          However, if client credentials are present in the request, the
          authorization server MUST validate them.




          So even if Keycloak support JWT client authentication, it may still require client credentials to be present in the refresh token request. But also, it could be a limitation from their end.



          Additionally, token refresh is defined through RFC6749 - The OAuth 2.0 Authorization Framework. According to it's section 6, refresh token request must contain client credentials when client is a confidential client (simply a client which was created with id and a password). If what you seen is not a limitation, then guess Keycloak adhere to RFC6749 and require you to send client credentials in token refresh request.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited yesterday

























          answered yesterday









          Kavindu Dodanduwa

          5,42111230




          5,42111230








          • 1




            yes, unfortunately client type is confidential and force us sending all creds. thanks a lot!
            – Sergii Getman
            yesterday














          • 1




            yes, unfortunately client type is confidential and force us sending all creds. thanks a lot!
            – Sergii Getman
            yesterday








          1




          1




          yes, unfortunately client type is confidential and force us sending all creds. thanks a lot!
          – Sergii Getman
          yesterday




          yes, unfortunately client type is confidential and force us sending all creds. thanks a lot!
          – Sergii Getman
          yesterday


















           

          draft saved


          draft discarded



















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53372454%2frefresh-token-with-keycloak%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Can a sorcerer learn a 5th-level spell early by creating spell slots using the Font of Magic feature?

          Image
          28 6 $begingroup$ Per the Font of Magic feature, sorcerer can use Flexible Casting to create 5th-level spell slots at level 7, even though they are not typically available until level 9. You can transform unexpended sorcery points into one spell slot as a bonus action on your turn. The Creating Spell Slots table shows the cost of creating a spell slot of [5th level is 7] If such a sorcerer levels up while still having this 5th-level spell slot, can they choose a 5th-level spell as the spell they gain upon levelling up? The Spellcasting feature states: Additionally, when you gain a level in this class, you can choose one of the sorcerer spells you know and replace it with another spell from the sorcerer spell list, which also must be of a level for which you have spell slots.
          Read more

          Does disintegrating a polymorphed enemy still kill it after the 2018 errata?

          Image
          up vote 13 down vote favorite 1 After the 2018 errata, the disintegrate spell description now reads: A creature targeted by this spell must make a Dexterity saving throw. On a failed save, the target takes 10d6 + 40 force damage. The target is disintegrated if this damage leaves it with 0 hit points. If you were to polymorph an enemy into a rat and then disintegrate it, would the enemy be disintegrated or would it just return to its original form? I know that for Druids, it’s not an instant kill anymore, but is this the case for polymorph as well? dnd-5e spells polymorph errata share | improve this question edited 18 hours ago
          Read more

          A Topological Invariant for $pi_3(U(n))$

          Image
          3 3 $begingroup$ Recently, I saw a construction of topological invariant for $pi_3(U(n))$ with $ngeq 2$ : $$ N=frac{1}{24pi^2}int_{S^3} d^3x epsilon^{ijk} Tr[(U^{-1}partial_{x_i}U)(U^{-1}partial_{x_j}U)(U^{-1}partial_{x_k}U)] , $$ where $Uin U(n)$ depends on $boldsymbol{x}=(x_1,x_2,x_3)in S^3$ , $epsilon^{ijk}$ is the Levi-Civita symbol, $i,j,k=1,2,3$ , and the duplicated indexes are summed over. It is claimed that $N$ is an integer, but why? Update 02/02/2019 I think I got an argument for $n=2$ . In this case, $U=e^{i varphi} q$ with $qin SU(2)$ . Due to the trace and the Levi-Civita symbol in $N$ , $varphi$ does not contribute to $N$ . As $Tr[q^{dagger}partial_i q]=0$ and $(q^{dagger}partial_i q)^{dagger}=-q^{dagger}partial_i q$ , $q^{dagger}partial_i q$ in geneeral has the form $q^{dagger}partia
          Read more