diff --git a/services/src/main/java/org/keycloak/protocol/oidc/AccessTokenIntrospectionProvider.java b/services/src/main/java/org/keycloak/protocol/oidc/AccessTokenIntrospectionProvider.java
index f1132af..8dbb01b 100644
--- a/services/src/main/java/org/keycloak/protocol/oidc/AccessTokenIntrospectionProvider.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/AccessTokenIntrospectionProvider.java
@@ -50,27 +50,28 @@ public class AccessTokenIntrospectionProvider implements TokenIntrospectionProvi
try {
boolean valid = true;
- RSATokenVerifier verifier = RSATokenVerifier.create(token)
- .realmUrl(Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName()));
+ AccessToken toIntrospect = null;
- PublicKey publicKey = session.keys().getPublicKey(realm, verifier.getHeader().getKeyId());
- if (publicKey == null) {
- valid = false;
- } else {
- try {
+ try {
+ RSATokenVerifier verifier = RSATokenVerifier.create(token)
+ .realmUrl(Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName()));
+
+ PublicKey publicKey = session.keys().getPublicKey(realm, verifier.getHeader().getKeyId());
+ if (publicKey == null) {
+ valid = false;
+ } else {
verifier.publicKey(publicKey);
verifier.verify();
- } catch (VerificationException e) {
- valid = false;
+ toIntrospect = verifier.getToken();
}
+ } catch (VerificationException e) {
+ valid = false;
}
RealmModel realm = this.session.getContext().getRealm();
ObjectNode tokenMetadata;
- AccessToken toIntrospect = verifier.getToken();
-
- if (valid) {
+ if (valid && toIntrospect != null) {
valid = tokenManager.isTokenValid(session, realm, toIntrospect);
}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java
index 85bd77f..cae907e 100755
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java
@@ -189,6 +189,24 @@ public class TokenIntrospectionTest extends TestRealmKeycloakTest {
}
@Test
+ public void testUnsupportedToken() throws Exception {
+ oauth.doLogin("test-user@localhost", "password");
+ String inactiveAccessToken = "unsupported";
+ String tokenResponse = oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", inactiveAccessToken);
+ ObjectMapper objectMapper = new ObjectMapper();
+ JsonNode jsonNode = objectMapper.readTree(tokenResponse);
+
+ assertFalse(jsonNode.get("active").asBoolean());
+
+ TokenMetadataRepresentation rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class);
+
+ assertFalse(rep.isActive());
+ assertNull(rep.getUserName());
+ assertNull(rep.getClientId());
+ assertNull(rep.getSubject());
+ }
+
+ @Test
public void testIntrospectAccessToken() throws Exception {
oauth.doLogin("test-user@localhost", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
