UserInfo endpoint returns 401 on GET request, but works fine with POST #29060

anlesk · 2024-04-24T15:23:22Z

anlesk
Apr 24, 2024

The setup

Keycloak v21.1.2 running via k8s operator.
Keycloak is running behind Istio and CloudFront.

openid client scope is created and added to client.

The prerequisites

Getting the token first:
POST https://{{baseURL}}/auth/realms/{{realm}}/protocol/openid-connect/token
body:

grant_type: "password"
username: "{{user}}"
password: "{{password}}"
client_id: "{{client}}"
client_secret: "{{client-secret}}"

Works great, getting access_token from the response.
Verifying the token:
POST https://{{baseURL}}/auth/realms/{{realm}}/protocol/openid-connect/token/introspect

token: "{{access_token}}"
client_id: "{{client}}"
client_secret: "{{client-secret}}"

Getting the response, all good by now.
Verifying that the response does have openid scope provided:

...
    "scope": "email openid profile",
...

The problem

GET https://{{baseURL}}/auth/realms/{{realm}}/protocol/openid-connect/userinfo
Headers:
"Authorization: Bearer {{access_token}}"

Returns 401 and I can see this in the Keycloak logs:
type=USER_INFO_REQUEST_ERROR, realmId={{realm}}, clientId=null, userId=null, ipAddress={{ip}}, error=invalid_token, auth_method=validate_access_token

However, if i try to to do POST instead, it works fine, giving me userinfo back
POST https://{{baseURL}}/auth/realms/{{realm}}/protocol/openid-connect/userinfo
Headers:
"Authorization: Bearer {{access_token}}"

Response: 200 and user info payload.

Any ideas what is wrong with the setup?

Answered by justin-tay

Apr 26, 2024

Actually given that you are getting a 401 and not 403 I somewhat suspect that when you are making the GET request you aren't actually sending the Authorization header with the token. Can you elaborate or show the codes how you are actually making the call? You might have set the header in the wrong variable for instance.

View full answer

justin-tay · 2024-04-26T08:09:23Z

justin-tay
Apr 26, 2024

Actually given that you are getting a 401 and not 403 I somewhat suspect that when you are making the GET request you aren't actually sending the Authorization header with the token. Can you elaborate or show the codes how you are actually making the call? You might have set the header in the wrong variable for instance.

1 reply

anlesk Apr 26, 2024
Author

@justin-tay, thank you for the idea.

My keycloak is behind CloudFront, and after you pointed out missing Authorzation header, I went to check if this header is actually allowed within my setup. And it appears it didn't.
After adding it to the whitelist, /userinfo started to work correctly.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

UserInfo endpoint returns 401 on GET request, but works fine with POST #29060

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

UserInfo endpoint returns 401 on GET request, but works fine with POST #29060

anlesk Apr 24, 2024

The setup

The prerequisites

The problem

Replies: 1 comment · 1 reply

justin-tay Apr 26, 2024

anlesk Apr 26, 2024 Author

anlesk
Apr 24, 2024

Replies: 1 comment 1 reply

justin-tay
Apr 26, 2024

anlesk Apr 26, 2024
Author