[keycloak-user] Best way to verify an AccessToken with RSATokenVerifer and keycloak-admin-client

Thomas Darimont thomas.darimont at googlemail.com
Mon Feb 20 13:02:13 EST 2017


Hello Group,

what is currently the best way to verify an access token with the
keycloak-admin-client in an application without a configured keycloak
deployment/adapter?

In the adapter scenario the PublicKey needed by the RSATokenVerifier is
retrieved with a PublicKeyLocator which is provided by the
KeycloakDeployment.

With no deployment at hand one needs to retrieve the public key dynamically
to deal with key rotation. I found two variants to do this - which one do
you think is the best?

Variant 1)
Iterate over keycloak.realm(realmId).keys().getKeyMetadata().getKeys()
and find the public key currently referenced by the kid in the JWKSHeader
of the AccessToken.

However this requires that the current user / client role has at least one
role of the realm-management client, e.g. view-realm.

Variant 2)
Send a GET Request without any authentication to
http://192.168.99.1:8080/auth
This will return the representation of the PublicRealmResource as JSON
which contains the
currently active RSA public key for the realm.

This variant doesn't require any role on the client / user since it doesn't
require authentication.
Unfortunately the current keycloak-admin-client doesn't seem to provide a
way to access the PublicRealmResource information which requires additional
code to fetch the resource.

Is there a reason for this or is this "just" an API gap that can be fixed?

You can find a gist with a quick demo for the two variants here:
https://gist.github.com/thomasdarimont/52152ed68486c65b50a04fcf7bd9bbde

Cheers,
Thomas


More information about the keycloak-user mailing list