[keycloak-dev] Token validator endpoint (for humans)

Bill Burke bburke at redhat.com
Thu Apr 5 10:08:01 EDT 2018


Its possible and easy if you don't allow hot deployment.   Just add
the provider to the list of classes or objects that define the root of
the JAX-RS tree.

IMO, though I don't see the value.  We'll only want extensions under
/realms/{realm} and under the admin REST API (for token validation).
There's a lot of initialization and work that's done by each layer of
the url scheme.  Especially for admin endpoints.


On Thu, Apr 5, 2018 at 9:58 AM, Stian Thorgersen <sthorger at redhat.com> wrote:
> Is there a way we could let it register on any path with RestEasy?
>
> On 5 April 2018 at 15:56, Bill Burke <bburke at redhat.com> wrote:
>>
>> I'll just switch to using that probably.
>>
>> On Thu, Apr 5, 2018 at 9:48 AM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>> > We already have a realm resource provider which adds directly under
>> > realm
>> > (/auth/realms/<realm name>/<resource provider id>). See
>> >
>> > https://github.com/stianst/keycloak-experimental/blob/master/token-validation/src/main/java/org/keycloak/experimental/token/TokenValidatorFactory.java#L31.
>> >
>> > The URL for this thing is: /auth/realms/master/token-validator
>> >
>> > Perhaps we could extend the realm resource provider to allow not just
>> > adding
>> > directly under realms, but under any arbitrary path? Not sure if
>> > RestEasy
>> > allows that though.
>> >
>> > On 5 April 2018 at 15:41, Bill Burke <bburke at redhat.com> wrote:
>> >>
>> >> +1
>> >>
>> >> Question, how are you adding this endpoint?  Under ../protocol/oidc?
>> >>
>> >> The kubernetes integration needs a similar validation endpoint that
>> >> outputs a document that kubernetes consumes.  What I did is create an
>> >> entirely new protocol.  Maybe a protocol extension endpoint would be
>> >> better?
>> >>
>> >> Object createExtensionEndpoint(String providerId)
>> >>
>> >> The returned Object would be a JAX-RS sub resource.
>> >>
>> >> Then the base endpoint would be
>> >> .../protocol/oidc/extensions/{provider-id}
>> >>
>> >>
>> >>
>> >> On Thu, Apr 5, 2018 at 8:04 AM, Stian Thorgersen <sthorger at redhat.com>
>> >> wrote:
>> >> > I added an example token validator endpoint that I needed for some
>> >> > demonstration purposes. Question would this be useful to add directly
>> >> > to
>> >> > Keycloak?
>> >> >
>> >> > It provides a simple form where you can paste in the base64 token. It
>> >> > will
>> >> > then output the header, claims and whether or not the token is valid.
>> >> > It
>> >> > uses realm keys to verify the signature so you don't have to paste
>> >> > that
>> >> > in
>> >> > manually (like you do on jwt.io).
>> >> >
>> >> > For those to lazy to try it out I've attached a screenshot.
>> >> >
>> >> > _______________________________________________
>> >> > keycloak-dev mailing list
>> >> > keycloak-dev at lists.jboss.org
>> >> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >>
>> >>
>> >>
>> >> --
>> >> Bill Burke
>> >> Red Hat
>> >
>> >
>>
>>
>>
>> --
>> Bill Burke
>> Red Hat
>
>



-- 
Bill Burke
Red Hat


More information about the keycloak-dev mailing list