Keycloak: Validate access token and get keycloak ID

Question

I need to be able to do the following (with plain cURL & JSON server-side- no frameworks or Java):

1. Use a string representation of a Keycloak access token I have been given by a 3rd party to verify that the token is valid.

2. If the token is valid, get the Keycloak ID for that user.

How do I do this using plain old HTTP posts? I've found lots of Java examples but I need to know the raw HTTP POSTs and responses underneath.

Is it something like this to validate the token?

/auth/realms/<realm>/protocols/openid-connect/validate?access_token=accesstokenhere

What does this return in terms of data (sorry I currently have no test server to interrogate)?

Thanks.

Answer 1

The validate endpoint does not seem to work now. It used to return access token. I am using the keycloak 2.5.1 now. As mentioned in post by Matyas (and in the post referenced by him), had to use introspect token endpoint.

In my testing Bearer authentication did not work. Had to use Basic authentication header along with base64 encoded client credentials.

base64.encode("<client_id:client_secret>".getBytes("utf-8"))

The response from introspect endpoint is in JSON format as shared in post referenced by Maytas, has many fields based on type of token being introspected. In my case token_type_hint was set as access_token.

requestParams = "token_type_hint=access_token&token=" + accessToken

The response included required user details like username, roles and resource access. Also included OAuth mandated attributes like active, exp, iss etc. See rfc7662#page-6 for details.