[keycloak-user] How does a bearer only client validate

Chris Benninger cbenninger at phemi.com
Wed May 31 13:48:19 EDT 2017


Keycloak has a keypair. Clients that trust that Keycloak instance are given
the public key.  Keycloak uses the private key to sign the tokens it
generates. The way JWT works is you can validate that tokens were signed by
a private key as long as you have the corresponding public key. Therefore
any JWT tokens that a trusted service generates can be validated using only
it's public key.

The Keycloak libs on the REST backend service talk to Keycloak once (when
the first request comes in) and pulls down the public key it needs to
validate the tokens. For all further requests It then uses this public key
to verify the signature and if it is valid, the timestamp is valid and a
few other fields are valid, the token facts will be extracted and provided
to whatever enforcement mechanism you are using.

https://jwt.io/introduction/

On Wed, May 31, 2017 at 5:14 AM, Pulkit Gupta <pulgupta at redhat.com> wrote:

> Hi All,
>
> I have two keycloak client one is a public client using implicit flow and
> authenticating the user via a redirect and then once the user is
> authenticate the client receives a token.
> This token is then passed to a REST based backend service which validate it
> before providing access to the API data.
>
> I am looking for more information on how does a bearer only client
> validates the token which it receives from the JavaScript based public
> client. I will also be interested to understand more about the relationship
> of these two clients based on scope to make this setup work
>
>
> --
>
> PULKIT
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list