Keycloak adapter: accessToken.getAccessTokenHash() returns null

Hello keycloak community,

we have a setup with an Angular client and Spring Boot services in the backend. The Angular client uses a javascipt adapter to authenticate the user, the backend is sent an access token authenticating the user. This works fine. However some backend services call other backend services using a bearer token and this was working with keycloak 14, but it no longer works with keycloak 20.0.1.

In the backend we’re using the spring keycloak adapter and we obtain the access token hash like this:

final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication instanceof KeycloakAuthenticationToken) {
    final KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) authentication;
    final KeycloakPrincipal<? extends KeycloakSecurityContext> keycloakPrincipal =
            (KeycloakPrincipal<? extends KeycloakSecurityContext>) token.getPrincipal();
    final AccessToken accessToken = keycloakPrincipal.getKeycloakSecurityContext().getToken();
    // Here's the problem: tokenHash is null here, this used to work with keycloak 14.0
    final String tokenHash = accessToken.getAccessTokenHash();

It seems the key “at_hash” has no value in the json. I think the problem might either be something that has changed in the javascript adapter (a new param that has to be set to include the hash to the json, but I could not find anything like this), or it’s something you have to configure in newer versions of keycloak, but I couldn’t find anything of that kind in the UI. Tried without success with keycloak 19.0.2 and 20.0.1.

Might be a bug in Keycloak but I really hope it’s not and all hints on how to solve it are appreciated :slight_smile:

Kind regards,

1 Like