[keycloak-user] Best way to verify an AccessToken with RSATokenVerifer and keycloak-admin-client

Thomas Darimont thomas.darimont at googlemail.com
Mon Feb 20 13:06:50 EST 2017


the actual URL for Variant2 is: http://192.168.99.1:8080/auth/realms/apidemo
...

2017-02-20 19:02 GMT+01:00 Thomas Darimont <thomas.darimont at googlemail.com>:

> Hello Group,
>
> what is currently the best way to verify an access token with the
> keycloak-admin-client in an application without a configured keycloak
> deployment/adapter?
>
> In the adapter scenario the PublicKey needed by the RSATokenVerifier is
> retrieved with a PublicKeyLocator which is provided by the
> KeycloakDeployment.
>
> With no deployment at hand one needs to retrieve the public key
> dynamically to deal with key rotation. I found two variants to do this -
> which one do you think is the best?
>
> Variant 1)
> Iterate over keycloak.realm(realmId).keys().getKeyMetadata().getKeys()
> and find the public key currently referenced by the kid in the JWKSHeader
> of the AccessToken.
>
> However this requires that the current user / client role has at least one
> role of the realm-management client, e.g. view-realm.
>
> Variant 2)
> Send a GET Request without any authentication to
> http://192.168.99.1:8080/auth
> This will return the representation of the PublicRealmResource as JSON
> which contains the
> currently active RSA public key for the realm.
>
> This variant doesn't require any role on the client / user since it
> doesn't require authentication.
> Unfortunately the current keycloak-admin-client doesn't seem to provide a
> way to access the PublicRealmResource information which requires additional
> code to fetch the resource.
>
> Is there a reason for this or is this "just" an API gap that can be fixed?
>
> You can find a gist with a quick demo for the two variants here:
> https://gist.github.com/thomasdarimont/52152ed68486c65b50a04fcf7bd9bbde
>
> Cheers,
> Thomas
>


More information about the keycloak-user mailing list