Before reporting an issue
Area
docs
Describe the bug
According to the Keycloak Client Registration documentation for the default provider, performing a GET request to retrieve the Client Representation should return a new Registration Access Token (RAT).
Documentation quote: "To retrieve the Client Representation perform an HTTP GET request to ... It will also return a new registration access token." https://github.com/keycloak/keycloak/blob/main/docs/guides/securing-apps/client-registration.adoc
line [102]
However, in practice, performing a GET request using a valid RAT returns the same RAT in the response body. The token is not rotated. This contradicts the documentation and potentially weakens security if rotation is expected by the client.
Rotation does appear to work correctly on PUT (update) requests, but fails/is skipped on GET requests.
Version
26.5.2
Regression
Expected behavior
Documentation quote should be: "To retrieve the Client Representation perform an HTTP GET request to ... It will return with same registration access token."
Actual behavior
Documentation quote: "To retrieve the Client Representation perform an HTTP GET request to ... It will also return a new registration access token."
How to Reproduce?
- Create a new client using the default provider to obtain an initial Registration Access Token. (Replace <EXISTING_TOKEN> with an Admin Bearer Token or Initial Access Token)
curl -X POST http://localhost:8080/realms/Test/clients-registrations/default
-H "Content-Type: application/json"
-H "Authorization: Bearer <EXISTING_TOKEN>"
-d '{ "clientId": "repro-client" }'
Copy the registrationAccessToken from the JSON response (let's call this TOKEN_A).
- Perform a GET request to retrieve the client configuration, using TOKEN_A for authorization.
curl -X GET http://localhost:8080/realms/Test/clients-registrations/default/repro-client
-H "Authorization: Bearer <TOKEN_A>"
Inspect the JSON response body. Look at the registrationAccessToken field (let's call this TOKEN_B).
- Compare the tokens. Observe that TOKEN_A (sent in header) is identical to TOKEN_B (received in body).
Anything else?
https://github.com/keycloak/keycloak/blob/main/docs/guides/securing-apps/client-registration.adoc line[102] #
Before reporting an issue
Area
docs
Describe the bug
According to the Keycloak Client Registration documentation for the default provider, performing a GET request to retrieve the Client Representation should return a new Registration Access Token (RAT).
Documentation quote: "To retrieve the Client Representation perform an HTTP GET request to ... It will also return a new registration access token." https://github.com/keycloak/keycloak/blob/main/docs/guides/securing-apps/client-registration.adoc
line [102]
However, in practice, performing a GET request using a valid RAT returns the same RAT in the response body. The token is not rotated. This contradicts the documentation and potentially weakens security if rotation is expected by the client.
Rotation does appear to work correctly on PUT (update) requests, but fails/is skipped on GET requests.
Version
26.5.2
Regression
Expected behavior
Documentation quote should be: "To retrieve the Client Representation perform an HTTP GET request to ... It will return with same registration access token."
Actual behavior
Documentation quote: "To retrieve the Client Representation perform an HTTP GET request to ... It will also return a new registration access token."
How to Reproduce?
curl -X POST http://localhost:8080/realms/Test/clients-registrations/default
-H "Content-Type: application/json"
-H "Authorization: Bearer <EXISTING_TOKEN>"
-d '{ "clientId": "repro-client" }'
Copy the registrationAccessToken from the JSON response (let's call this TOKEN_A).
curl -X GET http://localhost:8080/realms/Test/clients-registrations/default/repro-client
-H "Authorization: Bearer <TOKEN_A>"
Inspect the JSON response body. Look at the registrationAccessToken field (let's call this TOKEN_B).
Anything else?
https://github.com/keycloak/keycloak/blob/main/docs/guides/securing-apps/client-registration.adoc line[102] #