[keycloak-user] kid and x5t jwt header

Robert . robert.discussions at gmail.com
Thu Mar 2 10:36:22 EST 2017


Hi,

We need a way to find the correct certificate without using a keycloak rest
endpoint.
One of the certificates comes from keycloak, but others do not. All of the
certificates are stored at the REST service application.
If there was a x5t header, we could find the correct certificate using the
fingerprint.


On 1 March 2017 at 20:20, Thomas Darimont <thomas.darimont at googlemail.com>
wrote:

> Hello Robert,
>
> yes, you can use the kid to identify the public key from the keys / or
> certs endpoints
> that can be used to verify the signature of the JWT token.
>
> "Certs Endpoint":
> http://localhost:8081/auth/realms/$REALM/protocol/openid-connect/certs
> This endpoint shows all keys without any authentication.
>
> "Keys Endpoint":
> http://localhost:8081/auth/admin/realms/$REALM/keys
> This is the internal admin REST resource which also provides access to the
> keys.
> Note that you need at least one realm role to access this endpoint.
>
> "Realm Endpoint":
> http://localhost:8081/auth/realms/$REALM
> This seems to only show the currently active public key.
>
> The following example shows 3 ways to retrieve the realm public key and
> verify a JWT token:
> https://gist.github.com/thomasdarimont/52152ed68486c65b50a04fcf7bd9bbde
>
> Cheers,
> Thomas
>
>
> 2017-03-01 16:42 GMT+01:00 Robert . <robert.discussions at gmail.com>:
>
>> Hi,
>> A (.net) application has stored multiple certificates. It wants to choose
>> the appropriate certificate to validate the signature in the received jwt.
>> Regarding this I have the following questions.
>>
>> What exactly is the key ID (kid) header in the jwt? Is it possible to use
>> this to find the right certificate.
>>
>> Is it possible to add a x.509 certificate thumbprint (x5t) header in the
>> jwt created by keycloak? Is there a feature request for this? Could I
>> implement this myself via some extension mechanism?
>> Or do I need to add it in the core source code and submit it to be
>> included
>> in the keycloak product?
>>
>> Regards,
>> Robert
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


More information about the keycloak-user mailing list