[keycloak-dev] Token validator endpoint (for humans)

Stian Thorgersen sthorger at redhat.com
Thu Apr 5 12:31:00 EDT 2018 

One important thing I can think of is if we add support for JWEs we need to
make sure this thing doesn't return token details.

On Thu, 5 Apr 2018, 17:09 Pedro Igor Silva, <psilva at redhat.com> wrote:

> Nope :)
>
> On Thu, Apr 5, 2018 at 12:03 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> I can see it being helpful in production for debugging purposes. It may
>> also be helpful for application developers that are trying to figure out
>> what's going on in their apps.
>>
>> Do you have any actual concerns about it being exposed rather than just
>> because it's more stuff to expose ;)
>>
>> On 5 April 2018 at 16:58, Pedro Igor Silva <psilva at redhat.com> wrote:
>>
>>> To avoid additional endpoints that are not really part of the core
>>> functionality. For demo and testing this is very helpful but in production
>>> you don't want the server serving such requests and consuming resources.
>>>
>>> Treat as a "feature" seems more reasonable for me instead of always have
>>> it available.
>>>
>>> On Thu, Apr 5, 2018 at 11:47 AM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> Just to add - we can easily make it a feature that can be
>>>> enabled/disabled through the profile stuff, but was just curious to why you
>>>> thought it would be needed to disable it.
>>>>
>>>> On 5 April 2018 at 16:45, Stian Thorgersen <sthorger at redhat.com> wrote:
>>>>
>>>>> Why?
>>>>>
>>>>> On 5 April 2018 at 16:23, Pedro Igor Silva <psilva at redhat.com> wrote:
>>>>>
>>>>>> Although very helpful, people may want to disable this when in
>>>>>> production.
>>>>>>
>>>>>> On Thu, Apr 5, 2018 at 9:04 AM, Stian Thorgersen <sthorger at redhat.com
>>>>>> > wrote:
>>>>>>
>>>>>>> I added an example token validator endpoint that I needed for some
>>>>>>> demonstration purposes. Question would this be useful to add
>>>>>>> directly to
>>>>>>> Keycloak?
>>>>>>>
>>>>>>> It provides a simple form where you can paste in the base64 token.
>>>>>>> It will
>>>>>>> then output the header, claims and whether or not the token is
>>>>>>> valid. It
>>>>>>> uses realm keys to verify the signature so you don't have to paste
>>>>>>> that in
>>>>>>> manually (like you do on jwt.io).
>>>>>>>
>>>>>>> For those to lazy to try it out I've attached a screenshot.
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-dev mailing list
>>>>>>> keycloak-dev at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

More information about the keycloak-dev mailing list