How to verify the access token without client secret key in keycloak

Question

I have nodejs services as backend & frontend in angular, I want to secure my node api with keycloak, I am using keycloak 22.0.0, we tried with {{keycloak_url}}/realms/{{realm}}/protocol/openid-connect/token/introspect/which requires client secret but I am not using client authentication.

I also tried with userinfo {{keycloak_url}}/realms/{{realm}}/protocol/openid-connect/userinfo its always giving 403,

finally for time being I am using {{keycloak_url}}/realms/{{realm}}/users/{{user-sub}}/sessions to get the session wheather token is active or not in my node middleware, why I don't recomond this approach my use might have 50 session the response object will have huge data which will impact on performance.

Please provide suitable/better solution on this.

Thanks in advance!

score 0 · Answer 1 · answered Jul 29 '23 at 12:14

There is no any direct API to validate the user token, but we can achive the public key

I will try to explain better way

Each realm has cert key & public key, cert key will be used to generate the token, public key will be used to verify the token

just you can hit below URL in browser you will get the public key. http://localhost:8080/realms/{your-realmname}

else login into keycloak then chose realm->Real settings->keys tab -> find the row RS256 in same row you will see the public key. replace your in between the your pub key like below.

-----BEGIN PRIVATE KEY-----

pub key

-----END PRIVATE KEY-----

How to verify the access token without client secret key in keycloak

1 Answers1