Re: [keycloak-user] JWT token auth. advice

Hi, I have a general question about how we use JWT tokens. Authentication: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains. That seems to be our scenario. AFAIK there is no OAuth/OpenID in this system. Our JWT token from the browser is sent in a header to Rest Endpoint-1. This endpoint isn't secured. I mean that it can't verify the claims in the token. The claims don't represent any information related To this endpoint. It just passes the token along to Endpoint-2 which is capable of verifying the token. Is this Endpoint-1 considered insecure now ? It is just a mediator but anyone with the token can access it. How do I make Endpoint-2 trust Endpoint-1 ? Thanks, Mohan This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user