Im using KeyCloak Rest API and retrieving the token as below.
var result = await url
.PostUrlEncodedAsync(new List<KeyValuePair<string, string>>
new KeyValuePair<string, string>(“grant_type”, “password”),
new KeyValuePair<string, string>(“username”, userName),
new KeyValuePair<string, string>(“password”, password),
new KeyValuePair<string, string>(“client_id”, “admin-cli”)
But when i use the same token for retrieving the userinfo using the below endpoint it says ‘Invalid token’.
I would expect that you use the client secret when picking up the token
Is that mandatory to have the client secret. If so what is this token which is generated without the client secret?
If you read the token value, are you sure it is still valid (not expired )?
Ensure you have direct grant access enabled, i hope you would have done it
Except bearer only , in both confidential and public, you dont have to supply client secret for getting the user info
For confidential alone you have to pass client secret for taking token in password-grant.
If you see the following response on userinfo call
"error_description": "Token verification failed"
Following cases may happened
- Token may be expired (90% this could be the reason) , try to increase the validity of token and try again, you can do that under Realm Settings > Tokens > Access token lifespan
- Copy paste issue to userinfo api call