从 Keycloak 验证令牌

Question

I have a token which will be passed from a service to my Rest service. I want to use Spring security to validate the token against the public key (this is hosted on a different server). I have defined the Security Config class which is extending KeycloakWebSecurityConfigurerAdapter and i have implemented the httpSecurity and AuthenticationManager Builder.

I am using the OncePerRequestFilter and getting the Bearer token from the request.

@Component public class JwtTokenAuthenticationFilter extends OncePerRequestFilter {

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
        throws ServletException, IOException {

    final String authorizationHeader = request.getHeader("Authorization");


    String token = null;

    if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
        token = authorizationHeader.substring(7);

    }

}

What is the method to validate this token using Public Key with Keycloak classes?

Answer 1

In order to configure your KeycloakWebSecurityConfigurerAdapter , I guess you're providing a keycloak.json file. In this file , you are telling your application where your keycloak server authorization server url is: auth-server-url , optionally you could provide a realm-public-key as well ( this is not recommended ). This is all you need, the adapter will check for you that incoming tokens are signed by that server, for this realm.

See also:

• Should I explicitly verify Keycloak token or this is done by Keycloak adapter?