[keycloak-user] Getting a realm public key without credentials
Sebastien Blanc
sblanc at redhat.com
Tue Jun 19 11:40:20 EDT 2018
/auth/realms/{my_realm}/.well-known/openid-configuration will give you a
list of openId endpoints, there you can find `jwks_uri` and looks like it
is what you are looking for ,
http://localhost:8080/auth/realms/{my_realm}/protocol/openid-connect/certs
On Tue, Jun 19, 2018 at 5:01 PM, Jean-Baptiste Fouet <jbf.nospam at gmail.com>
wrote:
> Hi, we are trying to integrate keycloak in our system, and in order to
> check the genreate access token, we need a realm public key. We would like
> to avoid configuring crednetila on all endpoint needing to check a JWT
> token, so it would be great to be able to get keycloak key without any
> credentials.
>
> i did found the endpoint
>
> http://localhost:8080/auth/realms/{realm}
> <http://%7b%7bkchost%7d%7d:8080/auth/realms/ISEP/>
>
> which give the following json,without auth:
>
> {"realm":{realm},"public_key":"xx","token-service":"http://
> localhost:8080/auth/realms/{realm}/protocol/openid-connect
> ","account-service":"http://localhost:8080/auth/realms/{realm}/account
> ","tokens-not-before":0}
>
> Unfortunately, here there is no key id, so i can't handle several JWT
> provider or even a single keycloak with key rotation.
>
> Now, i found a more detailed key interface under
>
> http://localhost:8080/auth/admin/realms/{realms}/keys, returning for
> each key the status, type (algorithm), an the keyid.
>
> But i need credentials to access this interface, even though its only
> public data (HMAC & AES keys are NOT provided).
>
> I accessed it with the keycloak master admin, i do not want to spread
> his credentials everywhere, but i would be ok if i could create a
> user with limited rights to access only that
>
> Any suggestions on how to proceed ? Is there another endpoint to get
> this fulll info ?
> The doc doesnt clearly states the roles needed to access
>
> auth/admin/realms/{realms}/keys
>
> Thank you
>
> JB
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list