Reputation: 263
Keycloak token validation flow
When a request with the bearer token hits a microservice, does microservice talk to keycloak to validate the token for each request?
Is traffic "Step 5" configurable via keycloak adapter?
Upvotes: 3
Views: 1181
Answers (2)
Reputation: 39
If you run your microservice, every time you send a request to an api after adding the token in the logs you will see "Loaded URLs from http://localhost:8080/auth/realms/{realm-name}/.well-known/openid-configuration". Upon clicking this link you will see that there are a set of URLs present here, endpoints for token generation, userinfo etc.,there are endpoints for getting the certs and signing keys as well via which the signing key of the token is verified. (This will only happen if keycloak properties are defined in application.properties/application.yml)
Step 5 will happen on using Keycloak adapter (Choice of adapter given in keycloak documentation)
Upvotes: 0
Reputation: 1192
No, that would make too many requests. In initialization phase microservice loads public key and signing algorithm from Keycloak’s well known config page. On each request microservice checks the signature of the bearer token. Access token lifespan should not be too long and that is how you force your frontend to periodically go to Keycloak and refresh the bearer.
Upvotes: 2
Related Questions
- Keycloak: Access token validation end point
- Keycloak service to service
- Keycloak: Validate access token and get keycloak ID
- Validate token on keycloak server for every api call
- KeyCloak User validation and getting token
- How to make Keycloak validate user consent?
- Unable to validate the token from Keycloak
- Keycloak issuer validation and multi-tenancy approach
- How does a Keycloak client validate a token
- Keycloak authorization