[keycloak-dev] Why is the access_token a JWT?

Marc Boorshtein marc.boorshtein at tremolosecurity.com
Mon Sep 12 12:57:44 EDT 2016

On Mon, Sep 12, 2016 at 12:45 PM, Bill Burke <bburke at redhat.com> wrote:
> Our access tokens are JWS's.  Json Web Signatures that contain a JWT.
> This way if Client One gets an access token this token can be used to
> invoke on Client Foo.  Client Foo validates the JWS signature with the
> realm's public key, if correct, allows the invocation.  THis is so that
> you don't have to have a hub/spoke authentication for every single REST
> invocation.

Thanks Bill, that makes sense.  I couldn't figure out why my KC
implementation worked OOTB with Kubernetes given there is no
REQUIREMENT that the access_token be a JWS (thanks for correcting me
that its a JWS not a JWT) yet simply passing the access_token to
Kubernetes works great.   Turns out the design pattern you describe
above is the same pattern Kubernetes is using, its just not well
documented on their end.  That closes the loop and explains


More information about the keycloak-dev mailing list