Validate JWT token in python API with keycloak

Question

I am building a python flask API. The requests are sent from the UI and they include an already authorized JWT token in the header (as expected bearer token).

My API service needs to validate the token and extract the tenant from the token.

I have a few questions about how a solution like that usually works.

• does the API just need to decode the token and get the tenant from the payload?
• the api cannot validate the signature of the token because I don't have the secret, right?
• should the api juat call the auth. Server (in thia case key cloak)? If yes can someone please write an example code for that. Which libraries are good to use?

Thank you

Answer 1

Here are some answers.

• From a pure technical point of view, you can indeed decode the JWT token (there exists plenty of libs to do it) to extract the payload claims, and you can do it "serverless"
• The secret is used to CREATE the signature, not to verify it. When the signature is created (by the keycloak server) using a private key, the client app can verify it using the public key
• Issuing an additional request to the KC server in order to decode the token has yet some added value. The (possibly long-living) token may, for some security reason, have been discarded to prevent if from being still used. In such case, the API will return a negative answer. The web service you need to invoke is the "Token Introspection Endpoint" ( https://www.oauth.com/oauth2-servers/token-introspection-endpoint/ )