Generate JWT Token in Keycloak and get public key to verify the JWT token on a third party platform

jwt keycloak apigee keycloak-services
Amit Yadav picture Amit Yadav · Feb 26, 2019 · Viewed 21.1k times · Source

There is an Endpoint to a backend server which gives a JSON response on pinging and is protected by an Apigee Edge Proxy. Currently, this endpoint has no security and we want to implement Bearer only token authentication for all the clients making the request. All the clients making the requests to API will send that JWT token in Authorization Bearer and Apigee Edge will be used to verify the JWT Token.

How do I use Keycloak to generate this JWT token?

Also, Apigee needs a public key of the origin of the JWT token (the server which signed the JWT token, in this case, I believe that is Keycloak). So my second doubt is, while I use Keycloak to generate the JWT token, how to get the public key using which the server will verify if the token is valid?

Answer

Amit Yadav picture Amit Yadav · Mar 5, 2019

This got figured out with the help of this medium article. All the steps I have mentioned below have a detailed description in the article (Refer step 1 to 9 for token part, other steps are related to Spring Boot application) but I would like to give a overview of those in reference to my question.

Generating a JWT token using KeyCloak

  1. Install and run KeyCloak server and go to the endpoint (e.g http://localhost:8080/auth). Log in with an initial admin login and password (username=admin, password=admin).
  2. Create a Realm and a Client with openid-connect as the Client Protocol.
  3. Create users, roles and map Client Role To User.
  4. Assuming the server being on localhost, visiting the http://localhost:8080/auth/realms/dev/.well-known/openid-configuration gives details about all security endpoints
  5. http://localhost:8080/auth/realms/dev/protocol/openid-connect/token sending a POST request with valid details to this URL gives the JWTtoken with.

Getting the public key of the KeyCloak server

  • Going to Realm Settings and click on Public key pops up with the Public key of the server for that Realm. Refer to this image for better understanding.
  • Add -----BEGIN PUBLIC KEY----- and append -----END PUBLIC KEY----- to this copied public key to use it anywhere to verify the JWTtoken. You public key should finally look something like this:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhAj9OCZd0XjzOIad2VbUPSMoVK1X8hdD2Ad+jUXCzhZJf0RaN6B+79AW5jSgceAgyAtLXiBayLlaqSjZM6oyti9gc2M2BXzoDKLye+Tgpftd72Zreb4HpwKGpVrJ3H3Ip5DNLSD4a1ovAJ6Sahjb8z34T8c1OCnf5j70Y7i9t3y/j076XIUU4vWpAhI9LRAOkSLqDUE5L/ZdPmwTgK91Dy1fxUQ4d02Ly4MTwV2+4OaEHhIfDSvakLBeg4jLGOSxLY0y38DocYzMXe0exJXkLxqHKMznpgGrbps0TPfSK0c3q2PxQLczCD3n63HxbN8U9FPyGeMrz59PPpkwIDAQAB
-----END PUBLIC KEY-----

Validating the token on a third party platform

  • jwt.io is a great website for validating JWTtokens. All we have to do is paste the token and public key. Read the introduction of the website here to know more about validating the tokens.

Related questions

Didn't find publicKey for kid ,Keycloak?

I am getting this exception "Didn't find publicKey for kid" while calling endpoint from angular js 2 to the widlfly server . authentication happened in keycloak , however i am calling about 8 endpoints from different clients (different micro services ) within same realm using …

Read More
How to decode keys from Keycloak openid-connect cert api

I'm trying to get the key from Keycloak open-id connect certs endpoint that allow me to validate a JWT token. The api to fetch the keys seam to work : GET http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/certs { "keys": [ { "kid": "…

Read More
What are the main differences between JWT and OAuth authentication?

I have a new SPA with a stateless authentication model using JWT. I am often asked to refer OAuth for authentication flows like asking me to send 'Bearer tokens' for every request instead of a simple token header but I …

Read More