[keycloak-user] Adapter Token Verification

Kevin Berendsen kevin.berendsen at pharmapartners.nl
Wed Apr 12 01:31:09 EDT 2017 

Hi!

Thanks for your replies. Yes, I knew there was an introspection endpoint and would also verify if the token is legit and as you mentioned that would cause overhead for each request. 

I'm glad that the client authentication takes place within the adapter and does not cause such overhead. Once again, thank you!

Kind regards,

Kevin
-----Oorspronkelijk bericht-----
Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Namens ?????? ????
Verzonden: dinsdag 11 april 2017 14:26
Aan: keycloak-user at lists.jboss.org
Onderwerp: Re: [keycloak-user] Adapter Token Verification

I should also notice that despite all that stuff that i wrote in previous message you still have an opportunity to manually verify AT, which comes to your application. For that purpose there is a _introspection_ endpoint to which your could POST signed AT, and if it valid keycloak will return its content to you. But for doing this you should provide credentials of client which you use for introspecting token.


As you could see perform a backchannel introspection request to keycloak everytime you get an AT is overhead, thats why at least Spring Adapter by default perform verification by itself without requests to keycloak.


11.04.2017 20:20, Kevin Berendsen пишет:
> Hi community!
>
> Is there any diagram of how token verification takes place in adapters? I have a public client and a bearer-only client which is basically a protected API. I wish to verify the token on each API request and it already does that out-of-the-box with Spring Security which is nice but how I'm 100% certain that the bearer token is valid?
>
> In Keycloak.json it's possible to fill in a realm-public-key. When that key has a value in the JSON object, will the verification of the token only happen on the client (due to the signature within the token) or does it make an external request to the Keycloak endpoint to verify the token and fill the security context of the HttpSession?
>
> Kind regards,
>
> Kevin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list