5:20 a.m.
Hi community!
Is there any diagram of how token verification takes place in adapters? I have a public
client and a bearer-only client which is basically a protected API. I wish to verify the
token on each API request and it already does that out-of-the-box with Spring Security
which is nice but how I'm 100% certain that the bearer token is valid?
In Keycloak.json it's possible to fill in a realm-public-key. When that key has a
value in the JSON object, will the verification of the token only happen on the client
(due to the signature within the token) or does it make an external request to the
Keycloak endpoint to verify the token and fill the security context of the HttpSession?
Kind regards,
Kevin
7:19 a.m.
Hi. As far is i understanded adapters workflow, adapter wouldn't make
any additional request to keycloak server. While your application
started adapter retrieves all required settings from keycloak (pubkeys,
authorization settings etc.) and then on every request it just verify
signature of AccessToken (which is JWT), and timestamps of token
issuring, so your application could be confident that AT comes from
proper keycloak instance and it isn't obsolete. Proof of that assumtion
is that if you ask keycloak to generate keycloak.json for you
bearer-only client it wouldn't put clientSecret to keycloak.json, so it
excludes any secure communication between your client and keycloak.
Also thats why AT must have small TTL, because if AT has long TTL and
user signs out, this AT would be still valid for your backend
bearer-only application.
11.04.2017 20:20, Kevin Berendsen пишет:
Hi community!
Is there any diagram of how token verification takes place in adapters? I have a public
client and a bearer-only client which is basically a protected API. I wish to verify the
token on each API request and it already does that out-of-the-box with Spring Security
which is nice but how I'm 100% certain that the bearer token is valid?
In Keycloak.json it's possible to fill in a realm-public-key. When that key has a
value in the JSON object, will the verification of the token only happen on the client
(due to the signature within the token) or does it make an external request to the
Keycloak endpoint to verify the token and fill the security context of the HttpSession?
Kind regards,
Kevin
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:25 a.m.
I should also notice that despite all that stuff that i wrote in
previous message you still have an opportunity to manually verify AT,
which comes to your application. For that purpose there is a
_introspection_ endpoint to which your could POST signed AT, and if it
valid keycloak will return its content to you. But for doing this you
should provide credentials of client which you use for introspecting token.
As you could see perform a backchannel introspection request to keycloak
everytime you get an AT is overhead, thats why at least Spring Adapter
by default perform verification by itself without requests to keycloak.
11.04.2017 20:20, Kevin Berendsen пишет:
Hi community!
Is there any diagram of how token verification takes place in adapters? I have a public
client and a bearer-only client which is basically a protected API. I wish to verify the
token on each API request and it already does that out-of-the-box with Spring Security
which is nice but how I'm 100% certain that the bearer token is valid?
In Keycloak.json it's possible to fill in a realm-public-key. When that key has a
value in the JSON object, will the verification of the token only happen on the client
(due to the signature within the token) or does it make an external request to the
Keycloak endpoint to verify the token and fill the security context of the HttpSession?
Kind regards,
Kevin
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:31 a.m.
Hi!
Thanks for your replies. Yes, I knew there was an introspection endpoint and would also
verify if the token is legit and as you mentioned that would cause overhead for each
request.
I'm glad that the client authentication takes place within the adapter and does not
cause such overhead. Once again, thank you!
Kind regards,
Kevin
-----Oorspronkelijk bericht-----
Van: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
Namens ?????? ????
Verzonden: dinsdag 11 april 2017 14:26
Aan: keycloak-user(a)lists.jboss.org
Onderwerp: Re: [keycloak-user] Adapter Token Verification
I should also notice that despite all that stuff that i wrote in previous message you
still have an opportunity to manually verify AT, which comes to your application. For that
purpose there is a _introspection_ endpoint to which your could POST signed AT, and if it
valid keycloak will return its content to you. But for doing this you should provide
credentials of client which you use for introspecting token.
As you could see perform a backchannel introspection request to keycloak everytime you get
an AT is overhead, thats why at least Spring Adapter by default perform verification by
itself without requests to keycloak.
11.04.2017 20:20, Kevin Berendsen пишет:
Hi community!
Is there any diagram of how token verification takes place in adapters? I have a public
client and a bearer-only client which is basically a protected API. I wish to verify the
token on each API request and it already does that out-of-the-box with Spring Security
which is nice but how I'm 100% certain that the bearer token is valid?
In Keycloak.json it's possible to fill in a realm-public-key. When that key has a
value in the JSON object, will the verification of the token only happen on the client
(due to the signature within the token) or does it make an external request to the
Keycloak endpoint to verify the token and fill the security context of the HttpSession?
Kind regards,
Kevin
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2827
days inactive
2828
days old
3 comments
2 participants
participants (2)
-
Kevin Berendsen -
Король Илья