Java + Keycloak -> token verification

coolmurarz · June 16, 2023, 10:52am

I have a Java application with the following configuration:
quarkus:
oidc:
auth-server-url: http://localhost:8080/auth/realms/ar-console
client-id: ${KEYCLOAK_CLIENT_ID}
credentials:
secret: ${KEYCLOAK_CLIENT_SECRET}

Keycloak and the Java application are running on the same host.
I’m taking token from this Keycloak using Postman but using its external address e.g. http://67.239.34.22:9000

When I tryaing to get to the resource with this token, i receive status 401 Unathorized.
I don’t know why since it’s the same Keycloak server!

I remember it worked on earlier versions of Keycloak, so i suspect that something must have changed at some point.

Can someone explain to me how it is verified whether the received token was generated by the appropriate Keycloak.

embesozzi · June 16, 2023, 12:04pm

Hi,
One thing to keep in mind is that during the token validation, you MUST have the iss claim (issuer) with the same value. If you use different domains for the OIDC discovery endpoint and the token negotiation, the token validation will fail.
Here is the full spec of the token validation:

Final: OpenID Connect Core 1.0 incorporating errata set 1

Regards,

Topic		Replies	Views
Using client secret to signing tokens instead of realm keys Getting advice authentication , oidc	2	2209	July 1, 2022
OAuth2 IDP instead of OIDC Configuring the server authentication , identity-brokering , oidc	1	1154	October 3, 2020
Log in on a application	2	335	October 15, 2021
Changes in OIDC Token endpoints Getting advice oidc	7	1044	October 21, 2022
Keycloak Jwt Validation with C# Securing applications	4	1924	November 7, 2023

Java + Keycloak -> token verification

Related Topics