Closed tnorimat closed 2 weeks ago
According to https://github.com/zmartzone/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L422 that this test enviromnent's nginx lua script fapi-verify.lua
uses, private_key_jwt
might be the best alternative of the resource server's client authentication method.
The workaround for running automated conformance tests is as follows:
client_secret = os.getenv("CLIENT_SECRET"),
to
client_secret = "<genereated secret in 4>",
Modifying "resource-server" client's setting : "bearerOnly": false,
resolved by https://github.com/keycloak/keycloak/issues/30543#issuecomment-2182601997 https://github.com/keycloak/keycloak/blob/25.0.1/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java#L566-L583
Description
Keycloak's token introspection endpoint requires client to do client authentication. A resource server of this test environment uses
client_secret_basic
as its client authentication method. To register a client secret of the resource server, this test enviroment import a realm json file including the client secret. It works up to Keycloak 24. However, It does not work since Keycloak 25. Therefore, in some test, the resource server send a token introspection request to Keycloak, Keycloak return 401 Unauthorized because the secret of the resource server was not registered to Keycloak.Discussion
No response
Motivation
No response
Details
No response