Thanks JorenC. I was finally able to made this working.
Capturing the RSA was not working due to RSA-DHE but I find another way using request logger in keycloak server : https://mirocupak.com/logging-requests-with-undertow/
And it seems that the f5 introspect request is not working as excepted in v15.1 because using the Keycloak scope request posted above the result was :
2020-03-09 13:06:30,504 INFO [io.undertow.request.dump] (default task-15)
----------------------------REQUEST---------------------------
URI=/auth/realms/master/protocol/openid-connect/token/introspect
characterEncoding=null
contentLength=1666
contentType=[application/x-www-form-urlencoded]
header=Proxy-Connection=Keep-Alive
header=Accept=*/*
header=User-Agent=F5 OAuth Client
header=Authorization=Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ5bzhwdzhZcHJ1UG96QzVuX0cyVHZVSVbOzSDkNlPyDi5A
header=oauth_dns_resolver_name=/Common/172.xx.xx.xx
header=oauth_serverssl_name=/Common/keycloak-publicssl
header=Expect=100-continue
header=Content-Type=application/x-www-form-urlencoded
header=Content-Length=1666
header=Host=keycloak.xxxxx.lu:8443
locale=[]
method=POST
protocol=HTTP/1.1
queryString=
remoteAddr=/172.xx.xx.xx:17741
remoteHost=172.xx.xx.xx
scheme=https
host=keycloak.xxxxx.lu:8443
serverPort=8443
isSecure=true
body=
%{session.oauth.client.last.access_token}=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ5bzhwdzhZcHJ1UG96QzVuX0cyVHZVSVbOzSDkNlPyDi5A
token_type_hint=access_token
--------------------------RESPONSE--------------------------
contentLength=72
contentType=application/json
header=Connection=keep-alive
header=Content-Type=application/json
header=Content-Length=72
header=Date=Mon, 09 Mar 2020 12:06:30 GMT
status=401
And we see now that the F5 :
send %{session.oauth.client.last.access_token} in place of token
miss to send the client-id and client-secret parameters in the body
send to much useless info to the keycloak like dns resolvers IP, backend server IP, ssl profile....
So I rebuild the request using only custom fields even for those by default like token, client-id...:
and then now it works ! 🙂
I do the same for userinfo request also.
----------------------------REQUEST---------------------------
URI=/auth/realms/master/protocol/openid-connect/token/introspect
characterEncoding=null
contentLength=1699
contentType=[application/x-www-form-urlencoded]
header=Proxy-Connection=Keep-Alive
header=Accept=*/*
header=User-Agent=F5 OAuth Client
header=Authorization=Bearer hVhS2-trG8FsmeRyThTJ7zMGspLxZFGxV9kYjo
header=oauth_dns_resolver_name=/Common/172.xxx.xx.xx
header=oauth_serverssl_name=/Common/keycloak-publicssl
header=Expect=100-continue
header=Content-Length=1699
header=Content-Type=application/x-www-form-urlencoded
header=Host=keycloak.xxxxx.lu:8443
locale=[]
method=POST
protocol=HTTP/1.1
queryString=
remoteAddr=/172.xx.xx.xx:47015
remoteHost=172.xx.xx.xx
scheme=https
host=keycloak.xxxxx.lu:8443
serverPort=8443
isSecure=true
body=
client_id=F5-APM-Client
client_secret=db51def3-xxxx-xxxx-xxxx-xxxxx
token=hVhS2-trG8FsmeRyThTJ7zMGspLxZFGxV9kYjo
token_type_hint=access_token
--------------------------RESPONSE--------------------------
contentLength=913
contentType=application/json
header=Connection=keep-alive
header=Content-Type=application/json
header=Content-Length=913
header=Date=Mon, 09 Mar 2020 13:33:59 GMT
status=200
==============================================================
Using the F5 as a Client and Ressource server for keycloak IDP is also working using f5 request without modification:
So I can confirm that another workaround for the issuer port problem you encounter is to publish your keycloak to a non standard port.
Thanks for your help, I will do a complete configuration guide when I have time available.