[keycloak-user] kid and x5t jwt header

Thomas Darimont thomas.darimont at googlemail.com
Wed Mar 1 14:20:09 EST 2017


Hello Robert,

yes, you can use the kid to identify the public key from the keys / or
certs endpoints
that can be used to verify the signature of the JWT token.

"Certs Endpoint":
http://localhost:8081/auth/realms/$REALM/protocol/openid-connect/certs
This endpoint shows all keys without any authentication.

"Keys Endpoint":
http://localhost:8081/auth/admin/realms/$REALM/keys
This is the internal admin REST resource which also provides access to the
keys.
Note that you need at least one realm role to access this endpoint.

"Realm Endpoint":
http://localhost:8081/auth/realms/$REALM
This seems to only show the currently active public key.

The following example shows 3 ways to retrieve the realm public key and
verify a JWT token:
https://gist.github.com/thomasdarimont/52152ed68486c65b50a04fcf7bd9bbde

Cheers,
Thomas


2017-03-01 16:42 GMT+01:00 Robert . <robert.discussions at gmail.com>:

> Hi,
> A (.net) application has stored multiple certificates. It wants to choose
> the appropriate certificate to validate the signature in the received jwt.
> Regarding this I have the following questions.
>
> What exactly is the key ID (kid) header in the jwt? Is it possible to use
> this to find the right certificate.
>
> Is it possible to add a x.509 certificate thumbprint (x5t) header in the
> jwt created by keycloak? Is there a feature request for this? Could I
> implement this myself via some extension mechanism?
> Or do I need to add it in the core source code and submit it to be included
> in the keycloak product?
>
> Regards,
> Robert
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list