Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

docs

Describe the bug

Hi,

Reading server_admin_23.0 and server_admin_24.0 I've found the mentions: Currently, Keycloak client adapters do not support DPoP holder-of-key token verification. Keycloak adapters treat access and refresh tokens as bearer tokens. But in the server_admin_25.0 this mention has disappeared. So, I made a conclusion that the adapter started to support DPoP I can use this feature straight away.

I started to test this out, I've spun up the keycloak with -features=dpop enabled, created a public client and activated Oauth 2.0 DPoP Bound Access Tokens Enabled toggle and tried it out, but all I could get is: {"error":"invalid_dpop_proof","error_description":"DPoP proof is missing"}.

Maybe I got it wrong that everything will work under the hood such as - generating pairs of keys (private/public), signing the jwt with private key and sending all needed info to the Authorization Server (Keycloak) but it's not working this way and I couldn't get any info from the updated server_admin_25.0 despite the fact that now the adapter supports it (indirectly). Can you tell what I missed ? How can I implement this feature using Keycloak TS adapter ?

Version

25.0.1

Regression

• The issue is a regression

Expected behavior

DPoP works with TS Adapter raight away.

Actual behavior

Getting {"error":"invalid_dpop_proof","error_description":"DPoP proof is missing"} message.

How to Reproduce?

Install keycloak 25.0.1, enable dpop feature, try to use TS Adapter Keycloak with it.

Anything else?

No response