[keycloak-user] Adapter Token Verification

Король Илья llivezking at gmail.com
Tue Apr 11 08:25:36 EDT 2017


I should also notice that despite all that stuff that i wrote in 
previous message you still have an opportunity to manually verify AT, 
which comes to your application. For that purpose there is a 
_introspection_ endpoint to which your could POST signed AT, and if it 
valid keycloak will return its content to you. But for doing this you 
should provide credentials of client which you use for introspecting token.


As you could see perform a backchannel introspection request to keycloak 
everytime you get an AT is overhead, thats why at least Spring Adapter 
by default perform verification by itself without requests to keycloak.


11.04.2017 20:20, Kevin Berendsen пишет:
> Hi community!
>
> Is there any diagram of how token verification takes place in adapters? I have a public client and a bearer-only client which is basically a protected API. I wish to verify the token on each API request and it already does that out-of-the-box with Spring Security which is nice but how I'm 100% certain that the bearer token is valid?
>
> In Keycloak.json it's possible to fill in a realm-public-key. When that key has a value in the JSON object, will the verification of the token only happen on the client (due to the signature within the token) or does it make an external request to the Keycloak endpoint to verify the token and fill the security context of the HttpSession?
>
> Kind regards,
>
> Kevin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list