4:03 p.m.
Is there any way to access the realm keys without making an authenticated
request? That is by making a GET request to `/auth/admin/realms/{realm
name}/keys` without an authorization token.
I ask because when I add a new service, that needs to verify a JWT sent to
it, I have to manually authenticate, get the public key and then configure
a JWK from that. It would be easier if I could just tell me service the URL
and it would fetch the public key from the Keycloak API.
The response for the keys doesn't include any private information so I
don't see any issue in regard to security. Or am I missing something, or is
there another way to do this?
2:47 a.m.
Yes, it is possible and our adapters are using it. It's like
http://localhost:8081/auth/realms/master/protocol/openid-connect/certs
(replace your protocol, server, port and realm).
Marek
On 25/09/17 23:03, Russell Davies wrote:
Is there any way to access the realm keys without making an
authenticated
request? That is by making a GET request to `/auth/admin/realms/{realm
name}/keys` without an authorization token.
I ask because when I add a new service, that needs to verify a JWT sent to
it, I have to manually authenticate, get the public key and then configure
a JWK from that. It would be easier if I could just tell me service the URL
and it would fetch the public key from the Keycloak API.
The response for the keys doesn't include any private information so I
don't see any issue in regard to security. Or am I missing something, or is
there another way to do this?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2647
days inactive
2650
days old
1 comments
2 participants
participants (2)
-
Marek Posolda -
Russell Davies