Since tokens can be easily decoded, how do I know if a token hasn’t been tampered with? Or is this not something I need to worry about, as it is inherently secure?
Tokens in Keycloak are JWTs (JSON Web Tokens).
Read about the spec, how JWTs work.
JWTs have a signature with which the integrity of the tokens can be verified.
1 Like
Yes, but I don’t find any details about how to verify the token sent by Keycloak in my own application. Is that necessary?
Yes, how would otherwise know that the token has not been tampered!? That‘s what the signature is here for.
Read the spec, look for JWT/OIDC libraries fitting for your environment/ecosystem, read about all that, then you will understand.
Depending on the library you are going to use in your application, it might do that for you implicitly, but it has to be done.
I had this question because I thought I should at least fetch the public key from Keycloak, but actually, the library automatically retrieves the public key when validating the token. Am I correct?
An Niko said, that depends on the library you are using
1 Like