*What*
We have implemented token integrity check as part of AGDROID-686. The implementation is based on the assumption that the public key of the realm will be available from mobile-services.json file.
However, based on the research and this SO issue (https://stackoverflow.com/questions/40503697/keycloak-missing-realm-public-key), it is not recommended to hard code the realm public key into the configuration file as the admin user could rotate it in KC to improve security. We need to add support for that.
*How*
The proposed approach is this:
* check if there is a `realm-public-key` in the config file for keycloak. If there is, use it.
* If there isn't such value, load it dynamically
** first check if there is a cached version of the public key. If there is, check if the cached key is still valid (there should a configurable value to specify how long a public key can be valid locally)
** If there is no such cached key, or if the cached key is invalid, load it from the backend (use '/openid-connect/cert' endpoint). Save it in the local cache. |
|
