Validate JWT token from Keycloak

outwringing · March 27, 2024, 10:37am

Hi everyone, I’m developing an university project with Oauth2 and Keycloak.

I’ve implemented Keycloak login in a Flutter (web) Single Page Application (SPA) using openid_client (with PKCE) and I successfully get JWT tokens from Keycloak.

The spa accesses resources on a backend written in Flask (Python).
From the backend how can I know if the token I receive in the “Authorization” header is valid?
I tried using the “token introspect” endpoint, but it doesn’t work because my client is “public access” type.

I also tried using Postman by making a GET request to the “userinfo” endpoint (following this guide) providing the token but I always get “401 Unauthorized”

Thanks is advance

jean.silga · March 27, 2024, 11:02am

Hello,
To check if the token is valid, you can proceed as follow:

Validate the signature of the token using the realm’s public key (certificate) . The certificate is available at an endpoint similar to this: https:///realms//protocol/openid-connect/certs
Check the issue date and expiry date in the token’s claims
Check the issuer claim to make sure it matches to value expected from your keycloak server
If needed, you can perform other additional checks based on claims such as audience and so on.

outwringing · March 28, 2024, 4:01pm

Thank you for your response.
I implemented in my backend a function for getting public key from Keycloak and validate the token.
But I’m getting token signed with HS512 instead of RS256…

jean.silga · March 28, 2024, 4:24pm

Please check at the client level if a different signature algorithm is not specified there:
Advanced tab → Fine grain OpenID Connect configuration → Access token signature algorithm

outwringing · March 29, 2024, 10:36am

I set “RS256” everywhere in my client, but I keep getting tokens signed with HS512.

jean.silga · March 29, 2024, 11:23am

You could also check the realm keys to make sure the key you set as signature key is enabled, active, and have have higher priority:
Realm settings → keys tab

dasniko · March 29, 2024, 12:55pm

About which token(s) you guys are talking?
The refresh token is signed by default with an HMAC algorithm, that’s intended and does not need to be changed.
All the settings discussed here should yield to the access- and id-tokens.
Are you sure your access-/id-tokens are signed with HMAC? Or is it the refresh token you are talking about?

outwringing · March 29, 2024, 1:35pm

I’m referring to the access token

outwringing · April 1, 2024, 9:48am

I solved it, I was considering the wrong token.

Topic		Replies	Views
How to validate JWT Token - userInfo or is there a library or method call in Java? Getting advice	0	806	May 29, 2020
How can I validate the token obtained via Keycloak Login theme in REST API? Getting advice account-rest , admin-rest , authentication , oidc	0	555	December 14, 2021
Verify Keycloak user session Getting advice authentication	0	1976	April 17, 2023
How do I know if token is tampered Getting advice authentication , oidc	5	224	December 12, 2023
Invalidate backend session Securing applications adapter-java	1	3685	July 23, 2020

Validate JWT token from Keycloak

Related Topics