[keycloak-user] Public key for verifying JWT?
Wyllys Ingersoll
wyllys.ingersoll at keepertech.com
Wed Oct 3 09:46:11 EDT 2018
Isnt that a rather important bug to be fixed? Whats the point of signing
something with a key that cannot be shared with the verifiers?
On Wed, Oct 3, 2018 at 1:30 AM Stian Thorgersen <sthorger at redhat.com> wrote:
> HS* signing algorithms can not be verified by the client today as it is
> not using a shared secret, rather a secret only Keycloak knows. You need to
> pick a different algorithm or use token introspection endpoint.
>
> On Tue, 2 Oct 2018, 22:21 Wyllys Ingersoll, <
> wyllys.ingersoll at keepertech.com> wrote:
>
>> Im trying to verify a JWT access token from Keycloak using the python
>> jose-jwt library, but cannot seem to get it to succeed. When using the
>> HS512 algorithm, how does one retrieve the key needed to verify the JWT
>> tokens?
>>
>> The JWT header decodes to something like this: {"alg":"HS512","typ" :
>> "JWT","kid" : "eb31076b-bce6-495a-9a4b-e3210e14b342"}, but I don't see how
>> to get the key associated with the given kid value above.
>>
>> I tried using the "client secret" from the credential section, but thats
>> not working.
>>
>> What am I missing?
>>
>> thanks!
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
More information about the keycloak-user
mailing list