[keycloak-user] Adapter Token Verification
Король Илья
llivezking at gmail.com
Tue Apr 11 08:19:13 EDT 2017
Hi. As far is i understanded adapters workflow, adapter wouldn't make
any additional request to keycloak server. While your application
started adapter retrieves all required settings from keycloak (pubkeys,
authorization settings etc.) and then on every request it just verify
signature of AccessToken (which is JWT), and timestamps of token
issuring, so your application could be confident that AT comes from
proper keycloak instance and it isn't obsolete. Proof of that assumtion
is that if you ask keycloak to generate keycloak.json for you
bearer-only client it wouldn't put clientSecret to keycloak.json, so it
excludes any secure communication between your client and keycloak.
Also thats why AT must have small TTL, because if AT has long TTL and
user signs out, this AT would be still valid for your backend
bearer-only application.
11.04.2017 20:20, Kevin Berendsen пишет:
> Hi community!
>
> Is there any diagram of how token verification takes place in adapters? I have a public client and a bearer-only client which is basically a protected API. I wish to verify the token on each API request and it already does that out-of-the-box with Spring Security which is nice but how I'm 100% certain that the bearer token is valid?
>
> In Keycloak.json it's possible to fill in a realm-public-key. When that key has a value in the JSON object, will the verification of the token only happen on the client (due to the signature within the token) or does it make an external request to the Keycloak endpoint to verify the token and fill the security context of the HttpSession?
>
> Kind regards,
>
> Kevin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list