Re: [keycloak-user] Best way to verify an AccessToken with RSATokenVerifer and keycloak-admin-client

Hello Group, what is currently the best way to verify an access token with the keycloak-admin-client in an application without a configured keycloak deployment/adapter? In the adapter scenario the PublicKey needed by the RSATokenVerifier is retrieved with a PublicKeyLocator which is provided by the KeycloakDeployment. With no deployment at hand one needs to retrieve the public key dynamically to deal with key rotation. I found two variants to do this - which one do you think is the best? Variant 1) Iterate over keycloak.realm(realmId).keys().getKeyMetadata().getKeys() and find the public key currently referenced by the kid in the JWKSHeader of the AccessToken. However this requires that the current user / client role has at least one role of the realm-management client, e.g. view-realm. Variant 2) Send a GET Request without any authentication to http://192.168.99.1:8080/auth This will return the representation of the PublicRealmResource as JSON which contains the currently active RSA public key for the realm. This variant doesn't require any role on the client / user since it doesn't require authentication. Unfortunately the current keycloak-admin-client doesn't seem to provide a way to access the PublicRealmResource information which requires additional code to fetch the resource. Is there a reason for this or is this "just" an API gap that can be fixed? You can find a gist with a quick demo for the two variants here: https://gist.github.com/thomasdarimont/52152ed68486c65b50a04fcf7bd9bbde Cheers, Thomas