Refresh token with Keycloak

12,416

This could very well be a limitation or policy defined by Keycloak. RFC7523 (JWT for Client Authentication) does allow to enable client credentials when JWT authentication is present. This is highlighted from 3.1. Authorization Grant Processing

JWT authorization grants may be used with or without client authentication or identification. Whether or not client authentication is needed in conjunction with a JWT authorization grant, as well as the supported types of client authentication, are policy decisions at the discretion of the authorization server. However, if client credentials are present in the request, the authorization server MUST validate them.

So even if Keycloak support JWT client authentication, it may still require client credentials to be present in the refresh token request. But also, it could be a limitation from their end.

Additionally, token refresh is defined through RFC6749 - The OAuth 2.0 Authorization Framework. According to it's section 6, refresh token request must contain client credentials when client is a confidential client (simply a client which was created with id and a password). If what you seen is not a limitation, then guess Keycloak adhere to RFC6749 and require you to send client credentials in token refresh request.

Share:
12,416
Sergii Getman
Author by

Sergii Getman

#unix #go #cloud

Updated on June 05, 2022

Comments

  • Sergii Getman
    Sergii Getman almost 2 years

    I use [JWT for Client Authentication][1] in [Keycloak][2]:

     POST /token.oauth2 HTTP/1.1
     Host: as.example.com
     Content-Type: application/x-www-form-urlencoded
    
     grant_type=authorization_code&
     code=vAZEIHjQTHuGgaSvyW9hO0RpusLzkvTOww3trZBxZpo&
     client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A
     client-assertion-type%3Ajwt-bearer&
     client_assertion=eyJhbGciOiJSUzI1NiJ9.
     eyJpc3Mi[...omitted for brevity...].
     cC4hiUPo[...omitted for brevity...]
    

    I get :

    assess_token
    refresh_token
    token_type
    expires_in
    

    When I try to refresh token I send refresh_token itself, grant type refresh_token and get:

        "error": "unauthorized_client",
        "error_description": "INVALID_CREDENTIALS: Invalid client credentials"
    }```
    
    when I specify `client_id` I get:
    
    ```{
        "error": "invalid_client",
        "error_description": "Parameter client_assertion_type is missing"
    }```
    
    If I specify `client_assertion_type` I get error that `client_assertion` itself is missing, so I literally have to provide parameters I provided when retrieved access token.
    
    How that refreshing process actually should work?
    
    
      [1]: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bearer-12#section-2.2
      [2]: https://www.keycloak.org
    
  • Sergii Getman
    Sergii Getman over 5 years
    yes, unfortunately client type is confidential and force us sending all creds. thanks a lot!