It's by design and certainly not a bug. It's not always the case that
applications verify tokens themselves directly, but rather through token
introspection endpoints on Keycloak server.
As I said in my last mail. If you want to verify tokens in your app just
pick a better suited signing algorithm, like rs256 or es256.
On Wed, 3 Oct 2018, 15:46 Wyllys Ingersoll, <wyllys.ingersoll(a)keepertech.com>
wrote:
Isnt that a rather important bug to be fixed? Whats the point of
signing
something with a key that cannot be shared with the verifiers?
On Wed, Oct 3, 2018 at 1:30 AM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> HS* signing algorithms can not be verified by the client today as it is
> not using a shared secret, rather a secret only Keycloak knows. You need to
> pick a different algorithm or use token introspection endpoint.
>
> On Tue, 2 Oct 2018, 22:21 Wyllys Ingersoll, <
> wyllys.ingersoll(a)keepertech.com> wrote:
>
>> Im trying to verify a JWT access token from Keycloak using the python
>> jose-jwt library, but cannot seem to get it to succeed. When using the
>> HS512 algorithm, how does one retrieve the key needed to verify the JWT
>> tokens?
>>
>> The JWT header decodes to something like this:
{"alg":"HS512","typ" :
>> "JWT","kid" :
"eb31076b-bce6-495a-9a4b-e3210e14b342"}, but I don't see
>> how
>> to get the key associated with the given kid value above.
>>
>> I tried using the "client secret" from the credential section, but
thats
>> not working.
>>
>> What am I missing?
>>
>> thanks!
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>