Error when requesting token inspection for a access token requested by a offline token #39599
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
authorization-services
Describe the bug
In our backend service, we use the "access token" we received from the app-client to make a authorization request and then call introspection. The app-client is using a offline_token to request the access_token from keycloak.
Before 26.2.0 it worked well and we got the introspection response with the permissions and the active=true flag.
After the upgrade, we get a introspection response with no permissions added and active=false.
On the keycloak, we see following error:
2025-05-09 15:25:23,035 WARN [org.keycloak.events] (executor-thread-8) type="INTROSPECT_TOKEN_ERROR", realmId="local-test", realmName="local-test", clientId="xxx-authz", userId="null", sessionId="7143335c-b32e-4524-a59c-4f6d56f4a7be", ipAddress="172.17.0.1", error="user_session_not_found", reason="Introspection access token for xxx-api client: user_session_not_found", token_issued_for="xxx-api", token_id="onrtna:ff529020-872d-40b8-8647-fed5b8ccd222", token_type="Bearer", client_auth_method="client-secret"
The code we use is similar to that:
private Optional<TokenIntrospectionResponse> getTokenIntrospectionResponse() {
try {
log.info("AccessToken ID: {}", accessToken.getTokenID());
AuthorizationResponse authzResponse =
authzClient.authorization(accessToken.getRawToken()).authorize(new AuthorizationRequest());
String authzResponseToken = authzResponse.getToken();
// just logging the token id
var claims = JwtClaims.parse(
new String(Base64.decodeBase64(authzResponseToken.split("\\.")[1])));
log.info("Authz Response Token ID: {}", claims.getJwtId());
// introspect the token
TokenIntrospectionResponse tokenIntrospectionResponse =
authzClient.protection().introspectRequestingPartyToken(authzResponseToken);
log.info(
"Token Introspection Response [ active:{}, permissions:{} ]",
tokenIntrospectionResponse.getActive(),
tokenIntrospectionResponse.getPermissions());
return Optional.of(tokenIntrospectionResponse);
} catch (AuthorizationDeniedException | InvalidJwtException | MalformedClaimException e) {
// keycloak responses with 403 if the user has no permissions (e.g. if no room groups exist yet)
log.info("No authorized resources available for {}.", accessToken.getName());
return Optional.empty();
}
}Which produces the output:
2025-05-09 17:27:23,046 INFO [com.AuthzRoomGroupService] (executor-thread-2) [local-test] AccessToken ID: ofrtrt:e2529677-99b9-45b7-a5d9-a0e6ff6b9c78
2025-05-09 17:27:23,060 INFO [com.AuthzRoomGroupService] (executor-thread-2) [local-test] Authz Response Token ID: onrtna:979c14b9-5318-4aa4-aa0f-2ad0948edfda
2025-05-09 17:27:23,064 INFO [com.AuthzRoomGroupService] (executor-thread-2) [local-test] Token Introspection Response [ active:false, permissions:null ]
Version
26.2.4
Regression
- The issue is a regression
Expected behavior
When calling the code above, we like to get the response that is "active=true" and has all the permissions attached the user has.
Actual behavior
We get empty permissions and active=false.
How to Reproduce?
- Get a access token requested by a offline_token
- Over a authorization client request the authorization response and
introspectRequestingPartyToken - This will lead to the error in keycloak and a response with null-permission list
Anything else?
No response