Userinfo returning 401 UnAuthorized

[KeyCloak User]

Hi

I am trying to call the userinfo endpoint in KeyCloak 21 using access token and receiving 401. 

Referred this https://github.com/keycloak/keycloak/issues/16844 and https://www.keycloak.org/docs/latest/upgrading/index.html#userinfo-endpoint-changes , tried to pass scope=openid in the token request , still no luck :(

Any help would be appreciated!

Access token call : 
POST https://{{url}}/realms/{{realm name}}/protocol/openid-connect/token

parameters passed : client_id , client_secret , grant_type , scope

Userinfo call : GET https://{{url}}/realms/{{realm name}}/protocol/openid-connect/userinfo

Header  Authorization :  Bearer {{access_token}}

Thanks in advance :)

[Gilles ETCHEPAREBORDE]

Hello,

In case it would be of any help : do you ask the "openid" scope in your authencition flow ?

Since KC 20, this scope is required see comments here :
https://github.com/keycloak/keycloak/issues/16844

Regards,

Gilles ETCHEPAREBORDE

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/fb6554a3-e5fe-444a-8090-7b21720f6050n%40googlegroups.com.

[Gilles ETCHEPAREBORDE]

sorry, I did not read the entire post,

My bad

[Gilles ETCHEPAREBORDE]

Hello (bis),

1 - Can you check the error logs of your keycloak instance, some use full logs can help investigate the problem
https://github.com/keycloak/keycloak/blob/6766fd6ccc053804b0663c69fbc28f90f00c0d9f/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java#L191
https://github.com/keycloak/keycloak/blob/6766fd6ccc053804b0663c69fbc28f90f00c0d9f/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java#L196

2 - What is the grant_type used in your access token call ?

When I read that only two call are made, I assume that the grant_type is " client_credentials":
- one to the token endpoint (with no code, nor username/password )

- one to the userinfo endpoint qithe the retrieved accessToken

If you are in a client_credentials flow, the provided accessToken represents the app (clientid/clientsecret) but no real user (check the sub claim in the access token).

=> with no real user in the access token, the userinfo endpoint can not returns info.

Regards,

Gilles ETCHEPAREBORDE

On Fri, Jul 21, 2023 at 10:53 AM KeyCloak User <baacku...@gmail.com> wrote:

[KeyCloak User]

Hi

Thanks for the response

Hope this log can help. This is the only log I am finding in keycloak.log

WARN  [org.keycloak.events] (executor-thread-66) type=USER_INFO_REQUEST_ERROR, realmId=d4310d0d-d58b-40de-a6c5-f5b211291b73, clientId=null, userId=null, ipAddress=121.241.202.136, error=invalid_token, auth_method=validate_access_token

The application we are using is built on reactJS. we are using oidc-client-ts library to connect to Keycloak. what I noticed is that it is able to get the access token by establishing a connection but when userinfo is called, getting 401

I agree that grant_type client_credentials will not work for userinfo if its not an actual user. But if I am passing a username in the token POST method which is created for the realm, will it not work still?

curl --location 'https://{{keycloak url}}/realms/{{realm name}}/protocol/openid-connect/token' \

--header 'Content-Type: application/x-www-form-urlencoded' \

--data-urlencode 'username={{user created in the realm}}' \

--data-urlencode 'grant_type=client_credentials' \

--data-urlencode 'client_id=<KEYCLOAK_CLIENT_ID>' \

--data-urlencode 'client_secret=<KEYCLOAK_CLIENT_SECRET>' \

--data-urlencode 'scope=openid'

Regards,