Hi,
We need a way to find the correct certificate without using a keycloak rest
endpoint.
One of the certificates comes from keycloak, but others do not. All of the
certificates are stored at the REST service application.
If there was a x5t header, we could find the correct certificate using the
fingerprint.
On 1 March 2017 at 20:20, Thomas Darimont <thomas.darimont(a)googlemail.com>
wrote:
Hello Robert,
yes, you can use the kid to identify the public key from the keys / or
certs endpoints
that can be used to verify the signature of the JWT token.
"Certs Endpoint":
http://localhost:8081/auth/realms/$REALM/protocol/openid-connect/certs
This endpoint shows all keys without any authentication.
"Keys Endpoint":
http://localhost:8081/auth/admin/realms/$REALM/keys
This is the internal admin REST resource which also provides access to the
keys.
Note that you need at least one realm role to access this endpoint.
"Realm Endpoint":
http://localhost:8081/auth/realms/$REALM
This seems to only show the currently active public key.
The following example shows 3 ways to retrieve the realm public key and
verify a JWT token:
https://gist.github.com/thomasdarimont/52152ed68486c65b50a04fcf7bd9bbde
Cheers,
Thomas
2017-03-01 16:42 GMT+01:00 Robert . <robert.discussions(a)gmail.com>:
> Hi,
> A (.net) application has stored multiple certificates. It wants to choose
> the appropriate certificate to validate the signature in the received jwt.
> Regarding this I have the following questions.
>
> What exactly is the key ID (kid) header in the jwt? Is it possible to use
> this to find the right certificate.
>
> Is it possible to add a x.509 certificate thumbprint (x5t) header in the
> jwt created by keycloak? Is there a feature request for this? Could I
> implement this myself via some extension mechanism?
> Or do I need to add it in the core source code and submit it to be
> included
> in the keycloak product?
>
> Regards,
> Robert
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>