Re: [keycloak-user] kid and x5t jwt header
Hello Robert,
yes, you can use the kid to identify the public key from the keys / or
certs endpoints
that can be used to verify the signature of the JWT token.
"Certs Endpoint":
http://localhost:8081/auth/realms/$REALM/protocol/openid-connect/certs
This endpoint shows all keys without any authentication.
"Keys Endpoint":
http://localhost:8081/auth/admin/realms/$REALM/keys
This is the internal admin REST resource which also provides access to the
keys.
Note that you need at least one realm role to access this endpoint.
"Realm Endpoint":
http://localhost:8081/auth/realms/$REALM
This seems to only show the currently active public key.
The following example shows 3 ways to retrieve the realm public key and
verify a JWT token:
https://gist.github.com/thomasdarimont/52152ed68486c65b50a04fcf7bd9bbde
Cheers,
Thomas
2017-03-01 16:42 GMT+01:00 Robert . <robert.discussions(a)gmail.com>:
Hi,
A (.net) application has stored multiple certificates. It wants to choose
the appropriate certificate to validate the signature in the received jwt.
Regarding this I have the following questions.
What exactly is the key ID (kid) header in the jwt? Is it possible to use
this to find the right certificate.
Is it possible to add a x.509 certificate thumbprint (x5t) header in the
jwt created by keycloak? Is there a feature request for this? Could I
implement this myself via some extension mechanism?
Or do I need to add it in the core source code and submit it to be included
in the keycloak product?
Regards,
Robert
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user