[keycloak-user] Public key for verifying JWT?
Stian Thorgersen
sthorger at redhat.com
Fri Oct 5 02:21:58 EDT 2018
It's by design and certainly not a bug. It's not always the case that
applications verify tokens themselves directly, but rather through token
introspection endpoints on Keycloak server.
As I said in my last mail. If you want to verify tokens in your app just
pick a better suited signing algorithm, like rs256 or es256.
On Wed, 3 Oct 2018, 15:46 Wyllys Ingersoll, <wyllys.ingersoll at keepertech.com>
wrote:
> Isnt that a rather important bug to be fixed? Whats the point of signing
> something with a key that cannot be shared with the verifiers?
>
> On Wed, Oct 3, 2018 at 1:30 AM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> HS* signing algorithms can not be verified by the client today as it is
>> not using a shared secret, rather a secret only Keycloak knows. You need to
>> pick a different algorithm or use token introspection endpoint.
>>
>> On Tue, 2 Oct 2018, 22:21 Wyllys Ingersoll, <
>> wyllys.ingersoll at keepertech.com> wrote:
>>
>>> Im trying to verify a JWT access token from Keycloak using the python
>>> jose-jwt library, but cannot seem to get it to succeed. When using the
>>> HS512 algorithm, how does one retrieve the key needed to verify the JWT
>>> tokens?
>>>
>>> The JWT header decodes to something like this: {"alg":"HS512","typ" :
>>> "JWT","kid" : "eb31076b-bce6-495a-9a4b-e3210e14b342"}, but I don't see
>>> how
>>> to get the key associated with the given kid value above.
>>>
>>> I tried using the "client secret" from the credential section, but thats
>>> not working.
>>>
>>> What am I missing?
>>>
>>> thanks!
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
More information about the keycloak-user
mailing list