使用 Keycloak 刷新令牌
Refresh token with Keycloak
我在 [Keycloak][2] 中使用 [JWT 进行客户端身份验证][1]:
POST /token.oauth2 HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=vAZEIHjQTHuGgaSvyW9hO0RpusLzkvTOww3trZBxZpo&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A
client-assertion-type%3Ajwt-bearer&
client_assertion=eyJhbGciOiJSUzI1NiJ9.
eyJpc3Mi[...omitted for brevity...].
cC4hiUPo[...omitted for brevity...]
我得到:
assess_token
refresh_token
token_type
expires_in
当我尝试刷新令牌时,我发送 refresh_token 本身,授予类型 refresh_token 并获得:
"error": "unauthorized_client",
"error_description": "INVALID_CREDENTIALS: Invalid client credentials"
}```
when I specify `client_id` I get:
```{
"error": "invalid_client",
"error_description": "Parameter client_assertion_type is missing"
}```
If I specify `client_assertion_type` I get error that `client_assertion` itself is missing, so I literally have to provide parameters I provided when retrieved access token.
How that refreshing process actually should work?
[1]: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bearer-12#section-2.2
[2]: https://www.keycloak.org
这很可能是 Keycloak 定义的限制或策略。 RFC7523(用于客户端身份验证的 JWT)确实允许在存在 JWT 身份验证时启用客户端凭据。这是从 3.1. Authorization Grant Processing
中突出显示的
JWT authorization grants may be used with or without client
authentication or identification. Whether or not client
authentication is needed in conjunction with a JWT authorization
grant, as well as the supported types of client authentication, are
policy decisions at the discretion of the authorization server.
However, if client credentials are present in the request, the
authorization server MUST validate them.
因此,即使 Keycloak support JWT client authentication,它仍可能需要客户端凭据出现在刷新令牌请求中。但是,这也可能是他们最终的限制。
此外,令牌刷新是通过 RFC6749 - The OAuth 2.0 Authorization Framework. According to it's section 6 定义的,当客户端是机密客户端(即使用 ID 和密码创建的客户端)时,刷新令牌请求必须包含客户端凭据。如果您看到的不是限制,那么猜测 Keycloak 遵守 RFC6749 并要求您在令牌刷新请求中发送客户端凭据。
我在 [Keycloak][2] 中使用 [JWT 进行客户端身份验证][1]:
POST /token.oauth2 HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=vAZEIHjQTHuGgaSvyW9hO0RpusLzkvTOww3trZBxZpo&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A
client-assertion-type%3Ajwt-bearer&
client_assertion=eyJhbGciOiJSUzI1NiJ9.
eyJpc3Mi[...omitted for brevity...].
cC4hiUPo[...omitted for brevity...]
我得到:
assess_token
refresh_token
token_type
expires_in
当我尝试刷新令牌时,我发送 refresh_token 本身,授予类型 refresh_token 并获得:
"error": "unauthorized_client",
"error_description": "INVALID_CREDENTIALS: Invalid client credentials"
}```
when I specify `client_id` I get:
```{
"error": "invalid_client",
"error_description": "Parameter client_assertion_type is missing"
}```
If I specify `client_assertion_type` I get error that `client_assertion` itself is missing, so I literally have to provide parameters I provided when retrieved access token.
How that refreshing process actually should work?
[1]: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bearer-12#section-2.2
[2]: https://www.keycloak.org
这很可能是 Keycloak 定义的限制或策略。 RFC7523(用于客户端身份验证的 JWT)确实允许在存在 JWT 身份验证时启用客户端凭据。这是从 3.1. Authorization Grant Processing
中突出显示的JWT authorization grants may be used with or without client authentication or identification. Whether or not client authentication is needed in conjunction with a JWT authorization grant, as well as the supported types of client authentication, are policy decisions at the discretion of the authorization server. However, if client credentials are present in the request, the authorization server MUST validate them.
因此,即使 Keycloak support JWT client authentication,它仍可能需要客户端凭据出现在刷新令牌请求中。但是,这也可能是他们最终的限制。
此外,令牌刷新是通过 RFC6749 - The OAuth 2.0 Authorization Framework. According to it's section 6 定义的,当客户端是机密客户端(即使用 ID 和密码创建的客户端)时,刷新令牌请求必须包含客户端凭据。如果您看到的不是限制,那么猜测 Keycloak 遵守 RFC6749 并要求您在令牌刷新请求中发送客户端凭据。