CODEWITHSUNDEEP
keycloakbearer-tokenkeycloak-services
Kshitiz Sharma
Kshitiz Sharma

Reputation: 792

Unable to validate the token from Keycloak

I am trying to validate the token received from the keycloak. I have created TestClient as the client, TestRealm as the realm and "user" as the user. While validating the received token, I am hitting this endpoint- http://localhost:8080/auth/realms/TestRealm/protocol/openid-connect/userinfo.

In the response instead of receiving the actual user details, I am receiving this response everytime:

{
    "sub": "xxxx-xxxx-xxxx-xxxx-xxxxxx",
    "email_verified": false,
    "preferred_username": "service-account-testclient"
}

Can someone explain?

Upvotes: 0

Views: 15801

Answers (4)

Aastha Sethia
Aastha Sethia

Reputation: 39

The endpoint you are using is for getting the user info, for token validation the endpoint will look like http://localhost:8080/auth/realms/{realm-name}/protocol/openid-connect/token, this format is of standard OIDC format.

Upvotes: 1

Martin
Martin

Reputation: 61

As @JanGaraj already pointed out, by getting a proper response from the userinfo endpoint, Keycloak already verified the token. However, the basic intention of JWT validation is, that your application can do it without dependency on any other service.

The Keycloak documentation chapter 2.6.2 itself also explains it pretty well and gives you an option if you really need to manually validate the tokens by Keycloak.

Upvotes: 1

Santhoopa Jayawardhana
Santhoopa Jayawardhana

Reputation: 1218

To validate a token get the public key from the jwks_uri (JSON Web Keys) endpoint of OpenID Connect standard set of endpoints. Then do the signature validation.

Refer to this article for more information on token validation.

Upvotes: 2

Jan Garaj
Jan Garaj

Reputation: 28724

I wouldn't say that you are doing a token validation. Token validation requires token signature verification (against used realm public key usually).

You are just calling standard OIDC userinfo endpoint with token in the auth header and Keycloak must execute a token validation as part of request processing. Userinfo response depends on your Keycloak client configuration (mappers, scopes, ...).

So when you are getting userinfo response with http code 200, then token must be valid. But don't use userinfo for "token validation" - it will increase Keycloak load unnecessary, it is slow approach, userinfo endpoint is not designated for that, .... Do a offline, stateless, quick token signature verification. It should be a standard feature of all OIDC libraries.

Upvotes: 3

Related Questions