Keycloak cannot verify user information with a valid token

Question

I'm setting up Keycloak as an authentication server https://github.com/keycloak/keycloak/releases/download/12.0.0/keycloak-12.0.0.zip

Java 11

Documentation: https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/oidc-generic.adoc

I can generate the access_token via /realms/{realm-name}/protocol/openid-connect/token

but I cannot call the userinfo endpoint /realms/{realm-name}/protocol/openid-connect/userinfo using a valid access_token which I get from the first API.

POST http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/token

 {
     client_secret: ...,
     grant_type: ...,
     client_id: ...,
 }

response

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxOE..."
    "expires_in": 3600,
    "refresh_expires_in": 0,
    "token_type": "Bearer",
    "not-before-policy": 0,
    "scope": "create"
}

But here is the result when I call the get user info API

GET http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/userinfo Header: Bearer ${access_token}

Are there any suggestions?

Thank you

Post man test

Keycloak server's log is same

Keycloak bug I think this is an issue on KC 12.0 When I use KC 11.0.3, above APIs work fine https://github.com/keycloak/keycloak-community/issues/224

The Jira story:

https://issues.redhat.com/browse/KEYCLOAK-17217

Answer 1

Make sure you are calling the endpoint as follows.

First getting the token:

curl -d "client_id=$YOUR_CLIENT_ID" \
     -d "client_secret=$YOUR_CLIENT_SECRET" \
     -d "grant_type=client_credentials" \
                    http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/token)

Extract from the JSON response the access_token field (e.g., jq -r .access_token)

Then call the userinfo as follows:

curl -X GET http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/userinfo \
                -H "Content-Type: application/json" \
                -H "Authorization: Bearer $ACCESS_TOKEN"

With Postman:

For a setup with Realm Name = "test", client_id = "test", client_secret = "63b61af0-5a99-41d7-8f9b-4e3059b8b9ab" and using client_credentials grant_type.

Getting the token:

and getting the userinfo:

EDIT

The approach below works with Keycloak 10.0.x, and 11.0.x, but gets exactly the same issues as OP's for the version Keycloak 12.0.x (including the latest release Keycloak 12.0.2).

This seams to be regression added with Keycloak 12.0.0 follow this issue for update information.