Re: [keycloak-user] Public key for verifying JWT?
Isnt that a rather important bug to be fixed? Whats the point of signing
something with a key that cannot be shared with the verifiers?
On Wed, Oct 3, 2018 at 1:30 AM Stian Thorgersen <sthorger(a)redhat.com> wrote:
HS* signing algorithms can not be verified by the client today as it
is
not using a shared secret, rather a secret only Keycloak knows. You need to
pick a different algorithm or use token introspection endpoint.
On Tue, 2 Oct 2018, 22:21 Wyllys Ingersoll, <
wyllys.ingersoll(a)keepertech.com> wrote:
> Im trying to verify a JWT access token from Keycloak using the python
> jose-jwt library, but cannot seem to get it to succeed. When using the
> HS512 algorithm, how does one retrieve the key needed to verify the JWT
> tokens?
>
> The JWT header decodes to something like this:
{"alg":"HS512","typ" :
> "JWT","kid" : "eb31076b-bce6-495a-9a4b-e3210e14b342"},
but I don't see how
> to get the key associated with the given kid value above.
>
> I tried using the "client secret" from the credential section, but thats
> not working.
>
> What am I missing?
>
> thanks!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>