How to verify the access token without client secret key in keycloak

[Naresh M]

Hi All,

I want to verify the token before send my API response, if the token valid I will send 200 else I will 401. 

I have nodejs services as backend & frontend in angular, I want to secure my node api with keycloak, I am using keycloak 22.0.0, we tried with {{keycloak_url}}/realms/{{realm}}/protocol/openid-connect/token/introspect/ which requires client secret but I am not using client authentication.

I also tried with userinfo {{keycloak_url}}/realms/{{realm}}/protocol/openid-connect/userinfo its always giving 403,

finally for time being I am using {{keycloak_url}}/realms/{{realm}}/users/{{user-sub}}/sessions to get the session wheather token is active or not in my node middleware, why I don't recomond this approach my use might have 50 session the response object will have huge data which will impact on performance.

Please provide suitable/better solution on this.

Thanks in advance!

Naresh M

[Geoffrey Cleaves]

Hello. I do not have the answer to your question, but a question and recommendation. 

Have you considered not verifying the token at all? Or better said, verifying it locally instead via API. That is the expected usage pattern.

Access tokens have a very short lifetime (5 minutes by default) and are cryptografcially signed by the server. You have everything you need to verify the token without the API call. Calling the introspection API every time the token is used created a tremendous overhead with little benefit.

Why do you want to verify the token each time your API is consumed? 

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/ad03213d-3445-493a-836e-de948e4fcab0n%40googlegroups.com.

[Naresh Manthena]

Thanks for your reply,

I have use case scenario, my token lifespan is 30mins, 

1. I am a user logged into keycloak I have the valid token for 30mins 
2. after 5 mins I log off but my token still have 25mins validity 
3. if my token stolen they can be access the my node APIs for remaining 25mins

To prevent this I want to verify the token and each request, else suggest a better approach.

--

Regards,

Naresh Manthena,

M: 9000994443.

[Geoffrey Cleaves]

The need to introspect the token is driven by the 30m lifespan. Can you revisit that decision and cut the lifespan to something much shorter?

Otherwise, can you create a client with a secret just for token introspection? Why can't you use client authentication just for this purpose?

[Naresh Manthena]

If I use client authentication I have to provide the client secret in my angular app(user login) which is not secure because its sits in the browser.

If I use this in a node server, I have to maintain the session or need to pass the same session to the browser.

[Naresh Manthena]

Hi Geoffrey,

To answer your question, 

If we are checking the token locally we need a PUBLIC/SECRET key to validate. If I have 10 clients I have to share with them to validate the token this is one more issue.

On Wed, Jul 26, 2023 at 1:31 PM Geoffrey Cleaves <gcle...@gmail.com> wrote:

[Geoffrey Cleaves]

You only need ONE *public* key to validate the token. Secret keys do not enter the picture when verifying a cryptographic signature. 

You do not need a key per client if all the clients are in the same realm. 

I believe you are missing some basic understandings of Keycloak architecture. Or, I am misunderstanding your questions, but I don't think so. 

[Naresh Manthena]

What I mean is, I need this one public key in all 10 applications(Clients) to validate the access token, this is my understanding.

is it correct?

[Geoffrey Cleaves]

Yes, any resource server (backend API) which relies on JWT authentication must validate the token using Keycloak's public key.

The public key is published on an endpoint by Keycloak. The backend API server should cache they key since it almost never changes and it isn't necessary to query Keycloak for the key each time it is needed. 

[Naresh Manthena]

Thank you for the clarification.