Login/Register
Generate JWT Token in Keycloak and get public key to verify the JWT token on a third party platform
Asked Answered
Solved jwtkeycloakapigeekeycloak-services
O

1

50

There is an Endpoint to a backend server which gives a JSON response on pinging and is protected by an Apigee Edge Proxy. Currently, this endpoint has no security and we want to implement Bearer only token authentication for all the clients making the request. All the clients making the requests to API will send that JWT token in Authorization Bearer and Apigee Edge will be used to verify the JWT Token.

How do I use Keycloak to generate this JWT token?

Also, Apigee needs a public key of the origin of the JWT token (the server which signed the JWT token, in this case, I believe that is Keycloak). So my second doubt is, while I use Keycloak to generate the JWT token, how to get the public key using which the server will verify if the token is valid?

Oracular answered 26/2, 2019 at 11:52 Comment(0)
O
103

This got figured out with the help of this medium article. All the steps I have mentioned below have a detailed description in the article (Refer step 1 to 9 for token part, other steps are related to Spring Boot application) but I would like to give a overview of those in reference to my question.

Generating a JWT token using KeyCloak

  1. Install and run KeyCloak server and go to the endpoint (e.g http://localhost:8080/auth). Log in with an initial admin login and password (username=admin, password=admin).
  2. Create a Realm and a Client with openid-connect as the Client Protocol.
  3. Create users, roles and map Client Role To User.
  4. Assuming the server being on localhost, visiting the http://localhost:8080/auth/realms/dev/.well-known/openid-configuration gives details about all security endpoints
  5. http://localhost:8080/auth/realms/dev/protocol/openid-connect/token sending a POST request with valid details to this URL gives the JWTtoken with.

Getting the public key of the KeyCloak server

  • Going to Realm Settings and click on Public key pops up with the Public key of the server for that Realm. Refer to this image for better understanding.
  • Add -----BEGIN PUBLIC KEY----- and append -----END PUBLIC KEY----- to this copied public key to use it anywhere to verify the JWTtoken. You public key should finally look something like this:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhAj9OCZd0XjzOIad2VbUPSMoVK1X8hdD2Ad+jUXCzhZJf0RaN6B+79AW5jSgceAgyAtLXiBayLlaqSjZM6oyti9gc2M2BXzoDKLye+Tgpftd72Zreb4HpwKGpVrJ3H3Ip5DNLSD4a1ovAJ6Sahjb8z34T8c1OCnf5j70Y7i9t3y/j076XIUU4vWpAhI9LRAOkSLqDUE5L/ZdPmwTgK91Dy1fxUQ4d02Ly4MTwV2+4OaEHhIfDSvakLBeg4jLGOSxLY0y38DocYzMXe0exJXkLxqHKMznpgGrbps0TPfSK0c3q2PxQLczCD3n63HxbN8U9FPyGeMrz59PPpkwIDAQAB
-----END PUBLIC KEY-----

Validating the token on a third party platform

  • jwt.io is a great website for validating JWTtokens. All we have to do is paste the token and public key. Read the introduction of the website here to know more about validating the tokens.
Oracular answered 5/3, 2019 at 11:51 Comment(4)
If you need the public key dynamically, you can retrieve it from http(s)://<hostname>/auth/realms/<realm name>Diffuser
Do you know how to validate/verify the token received via Keycloak?Spartacus
@TarunPande you can verify token signature locally with public key for example in php with openssl_verify(string $data, string $signature, mixed $pub_key_id, mixed $signature_alg=null)Blackout
For Keycloak 22 the URL has changed, /auth not being part of the URL anymore: http(s)://<hostname>/realms/<realm name>Shellishellie

© 2022 - 2024 — McMap. All rights reserved.