This article describes how it is possible to validate a Keyloak access token and performing signature verification.

The RSA realm public key is uploaded in order to verify the access token signature

The example is illustrated using jwt.io debugger debugger, but could be used by any tool leveraging this methodology to verify the Keycloak Access Token viability.

1. Get an access token

A Keycloak access token is obtained from the token endpoint

  • http://localhost:8080/auth/realms/master/protocol/openid-connect/token

This access token contains 3 parts :

  • header
  • payload
  • signature (using realm RSA public key)

2) Retrieving Realm RSA public key

The realm RSA public key is retrieved from the endpoint

  • http://localhost:8080/auth/realms/master/protocol/openid-connect/certs

3. Obtaining a certificate file for the realm public key (.pem format)

The x5c filed value is copied between —–BEGIN CERTIFICATE—–

—–END CERTIFICATE—– directives .

4. Displaying and verifying the access token (using jwt.io)

This is done in 3 steps :

  • (1) getting hold of the access token
    • This will allow to display all teh access token field
  • (2) verification of the access token fields
    • The validation of the access token consists also of verifying each of the fields
      (Such a task can be done either by keycloak, or locally by program)
  • (3) Signature verification
    • This step is done using the realm RSA public key obtained previously

5. Illustration using Jwt.io

The jwt.io allow to display the information of the access token, and verify the signature.

5.1 Displaying the access token


The access_token is copied into the jwt.io debugger.
The access token fields ae displayed, and invalid signature is reported , as the signature field has not yet been completed.

keycloak access token and performing signature verification
5.2 Validating the signature

The signature is validated by copying teh PEM certificate obtained previously in the verify signature section (public key section)

Once this is done, the signature toggles to « Signature verified » to idicate that the access token signature has been verified.

Keycloak Access Token verification example

Olivier Rivat

Senior Software Engineer with over 25 years of experience doing Software Development, Support and Consulting in Identity and Access Management Solutions.
Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
Olivier Rivat

Les derniers articles par Olivier Rivat (tout voir)