[keycloak-user] JWT token auth. advice

Stian Thorgersen sthorger at redhat.com
Mon Oct 10 04:21:46 EDT 2016


If endpoint-1 always triggers endpoint-2 which verifies the token I would
consider it secured, although indirectly.

Not sure what you mean about making endpoint-2 trust endpoint-1. Endpoint-2
doesn't directly trust endpoint-1, rather it trust the details from the
access token that endpoint-1 has retrieved. So in effect it trusts the user
of endpoint-1 rather than endpoint-1 itself.

On 4 October 2016 at 09:18, <Mohan.Radhakrishnan at cognizant.com> wrote:

> Hi,
>         I have a general question about how we use JWT tokens.
>
> Authentication: This is the most common scenario for using JWT. Once the
> user is logged in, each subsequent request will include the JWT, allowing
> the user to access routes, services, and resources that are permitted with
> that token. Single Sign On is a feature that widely uses JWT nowadays,
> because of its small overhead and its ability to be easily used across
> different domains.
>
> That seems to be our scenario.  AFAIK there is no OAuth/OpenID in this
> system.
> Our JWT token from the browser is sent in a header to Rest Endpoint-1.
> This endpoint isn't secured. I mean that it can't verify the claims in the
> token. The claims don't represent any information related
> To this endpoint. It just passes the token along to Endpoint-2 which is
> capable of verifying the token.
>
> Is this Endpoint-1 considered insecure now ? It is just a mediator but
> anyone with the token can access it. How do I make Endpoint-2 trust
> Endpoint-1 ?
>
>
> Thanks,
> Mohan
> This e-mail and any files transmitted with it are for the sole use of the
> intended recipient(s) and may contain confidential and privileged
> information. If you are not the intended recipient(s), please reply to the
> sender and destroy all copies of the original message. Any unauthorized
> review, use, disclosure, dissemination, forwarding, printing or copying of
> this email, and/or any action taken in reliance on the contents of this
> e-mail is strictly prohibited and may be unlawful. Where permitted by
> applicable law, this e-mail and other e-mail communications sent to and
> from Cognizant e-mail addresses may be monitored.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list