Validate JWT token from Keycloak

Hi everyone, I’m developing an university project with Oauth2 and Keycloak.

I’ve implemented Keycloak login in a Flutter (web) Single Page Application (SPA) using openid_client (with PKCE) and I successfully get JWT tokens from Keycloak.

The spa accesses resources on a backend written in Flask (Python).
From the backend how can I know if the token I receive in the “Authorization” header is valid?
I tried using the “token introspect” endpoint, but it doesn’t work because my client is “public access” type.

I also tried using Postman by making a GET request to the “userinfo” endpoint (following this guide) providing the token but I always get “401 Unauthorized”

Thanks is advance

To check if the token is valid, you can proceed as follow:

  • Validate the signature of the token using the realm’s public key (certificate) . The certificate is available at an endpoint similar to this: https:///realms//protocol/openid-connect/certs
  • Check the issue date and expiry date in the token’s claims
  • Check the issuer claim to make sure it matches to value expected from your keycloak server
    If needed, you can perform other additional checks based on claims such as audience and so on.
1 Like

Thank you for your response.
I implemented in my backend a function for getting public key from Keycloak and validate the token.
But I’m getting token signed with HS512 instead of RS256…

Please check at the client level if a different signature algorithm is not specified there:
Advanced tab → Fine grain OpenID Connect configuration → Access token signature algorithm

I set “RS256” everywhere in my client, but I keep getting tokens signed with HS512.

You could also check the realm keys to make sure the key you set as signature key is enabled, active, and have have higher priority:
Realm settings → keys tab

About which token(s) you guys are talking?
The refresh token is signed by default with an HMAC algorithm, that’s intended and does not need to be changed.
All the settings discussed here should yield to the access- and id-tokens.
Are you sure your access-/id-tokens are signed with HMAC? Or is it the refresh token you are talking about?

I’m referring to the access token

I solved it, I was considering the wrong token.