[Aerogear-users] Keycloak - validate token on server

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[Aerogear-users] Keycloak - validate token on server

Doug Drouillard
Hello,

I am using Aerogear-iOS and I am able to successfully get a JWT from keycloak.  Say I pass that JWT to a Java web service (that is not wildfly), is there a way to easily verify the token? The keycloak adapters for undertow and jetty seem beyond my reach. I am using Ninja Framework and the undertow integration does not seem feasible in my time frame.
I was hoping to easily validate token on server, but I can't seem to have come across anything. My concern is that I want to disable a user and immediately have them disabled, not wait on expiration in token.

I have proposed this question on stack overflow and on the keycloak mailing list with no answers so I was hoping to have some luck here.

Thanks.

_______________________________________________
Aerogear-users mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-users
Reply | Threaded
Open this post in threaded view
|

Re: [Aerogear-users] Keycloak - validate token on server

Summers Pittman
Are you thinking something like this : https://github.com/auth0/java-jwt#verify-a-token ?

On Wed, May 31, 2017 at 2:36 PM, Doug Drouillard <[hidden email]> wrote:
Hello,

I am using Aerogear-iOS and I am able to successfully get a JWT from keycloak.  Say I pass that JWT to a Java web service (that is not wildfly), is there a way to easily verify the token? The keycloak adapters for undertow and jetty seem beyond my reach. I am using Ninja Framework and the undertow integration does not seem feasible in my time frame.
I was hoping to easily validate token on server, but I can't seem to have come across anything. My concern is that I want to disable a user and immediately have them disabled, not wait on expiration in token.

I have proposed this question on stack overflow and on the keycloak mailing list with no answers so I was hoping to have some luck here.

Thanks.

_______________________________________________
Aerogear-users mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-users



_______________________________________________
Aerogear-users mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-users
Reply | Threaded
Open this post in threaded view
|

Re: [Aerogear-users] Keycloak - validate token on server

Doug Drouillard
In reply to this post by Doug Drouillard
I ended up forking aerogear and merging in an unmerged PR that exposed Safari View Controller (I am targeting iOS 9+) and then also modified to allow for passing of kc_idp_hint. 


It is nice and clean and avoids the user experience issues that motivated my original question. E.g. embedded views dont work with Google sign-in and the external safari makes user answer an additional prompt (Open in 'app name') plus risks leaving them in no-persons land if they cancel.

For my active account question I likely can just use the Admin API can check outright for if user is enabled. 

Still researching best Java client to use in my case as it seems like i am in a bearer-only situation. The aerogear code is easier to follow as there is not intermixing of session/server logic like the servlet examples I have seen.
Verifying the JWT on local server is easy and likely good enough but I believe there should be a way to verify it with the keycloak server if desired using certificates/possibly open-id end points. I am working in a high fraud situation so need all options available.

Will update this thread as they appear in Google search results.

On Wed, May 31, 2017 at 2:36 PM, Doug Drouillard <[hidden email]> wrote:
Hello,

I am using Aerogear-iOS and I am able to successfully get a JWT from keycloak.  Say I pass that JWT to a Java web service (that is not wildfly), is there a way to easily verify the token? The keycloak adapters for undertow and jetty seem beyond my reach. I am using Ninja Framework and the undertow integration does not seem feasible in my time frame.
I was hoping to easily validate token on server, but I can't seem to have come across anything. My concern is that I want to disable a user and immediately have them disabled, not wait on expiration in token.

I have proposed this question on stack overflow and on the keycloak mailing list with no answers so I was hoping to have some luck here.

Thanks.


_______________________________________________
Aerogear-users mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-users
Reply | Threaded
Open this post in threaded view
|

Re: [Aerogear-users] Keycloak - validate token on server

Summers Pittman


On Mon, Jun 5, 2017 at 9:11 AM, Doug Drouillard <[hidden email]> wrote:
I ended up forking aerogear and merging in an unmerged PR that exposed Safari View Controller (I am targeting iOS 9+) and then also modified to allow for passing of kc_idp_hint. 


It is nice and clean and avoids the user experience issues that motivated my original question. E.g. embedded views dont work with Google sign-in and the external safari makes user answer an additional prompt (Open in 'app name') plus risks leaving them in no-persons land if they cancel.

For my active account question I likely can just use the Admin API can check outright for if user is enabled. 

Still researching best Java client to use in my case as it seems like i am in a bearer-only situation. The aerogear code is easier to follow as there is not intermixing of session/server logic like the servlet examples I have seen.
Verifying the JWT on local server is easy and likely good enough but I believe there should be a way to verify it with the keycloak server if desired using certificates/possibly open-id end points. I am working in a high fraud situation so need all options available.

Will update this thread as they appear in Google search results.

+1 Thanks for the feedback, and I will keep an eye out for your updates.
 

On Wed, May 31, 2017 at 2:36 PM, Doug Drouillard <[hidden email]> wrote:
Hello,

I am using Aerogear-iOS and I am able to successfully get a JWT from keycloak.  Say I pass that JWT to a Java web service (that is not wildfly), is there a way to easily verify the token? The keycloak adapters for undertow and jetty seem beyond my reach. I am using Ninja Framework and the undertow integration does not seem feasible in my time frame.
I was hoping to easily validate token on server, but I can't seem to have come across anything. My concern is that I want to disable a user and immediately have them disabled, not wait on expiration in token.

I have proposed this question on stack overflow and on the keycloak mailing list with no answers so I was hoping to have some luck here.

Thanks.


_______________________________________________
Aerogear-users mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-users



_______________________________________________
Aerogear-users mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-users