oauth-2.0 - 使用 Keycloak 刷新 token

Question

我在 [Keycloak][2] 中使用 [JWT 进行客户端身份验证][1]:

 POST /token.oauth2 HTTP/1.1
 Host: as.example.com
 Content-Type: application/x-www-form-urlencoded

 grant_type=authorization_code&
 code=vAZEIHjQTHuGgaSvyW9hO0RpusLzkvTOww3trZBxZpo&
 client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A
 client-assertion-type%3Ajwt-bearer&
 client_assertion=eyJhbGciOiJSUzI1NiJ9.
 eyJpc3Mi[...omitted for brevity...].
 cC4hiUPo[...omitted for brevity...]

我明白了:

assess_token
refresh_token
token_type
expires_in

当我尝试刷新 token 时，我发送 refresh_token 本身，授予类型 refresh_token 并获得:

    "error": "unauthorized_client",
    "error_description": "INVALID_CREDENTIALS: Invalid client credentials"
}```

when I specify `client_id` I get:

```{
    "error": "invalid_client",
    "error_description": "Parameter client_assertion_type is missing"
}```

If I specify `client_assertion_type` I get error that `client_assertion` itself is missing, so I literally have to provide parameters I provided when retrieved access token.

How that refreshing process actually should work?


  [1]: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bearer-12#section-2.2
  [2]: https://www.keycloak.org

Answer 1

这很可能是 Keycloak 定义的限制或策略。 RFC7523(用于客户端身份验证的 JWT)确实允许在存在 JWT 身份验证时启用客户端凭据。这是从 3.1. Authorization Grant Processing 中突出显示的

JWT authorization grants may be used with or without clientauthentication or identification. Whether or not clientauthentication is needed in conjunction with a JWT authorizationgrant, as well as the supported types of client authentication, arepolicy decisions at the discretion of the authorization server.However, if client credentials are present in the request, theauthorization server MUST validate them.

所以即使Keycloak support JWT client authentication ，它可能仍需要客户端凭据出现在刷新 token 请求中。但是，这也可能是他们的限制。

此外， token 刷新是通过RFC6749 - The OAuth 2.0 Authorization Framework定义的.根据它的 section 6 ，当客户端是 secret 客户端(只是使用 ID 和密码创建的客户端)时，刷新 token 请求必须包含客户端凭据。如果您看到的不是限制，那么猜测 Keycloak 遵守 RFC6749 并要求您在 token 刷新请求中发送客户端凭据。