This article describes how it is possible to validate a Keyloak access token and performing signature verification.

The RSA realm public key is uploaded in order to verify the access token signature

The example is illustrated using debugger debugger, but could be used by any tool leveraging this methodology to verify the Keycloak Access Token viability.

1. Get an access token

A Keycloak access token is obtained from the token endpoint

  • http://localhost:8080/auth/realms/master/protocol/openid-connect/token

This access token contains 3 parts :

  • header
  • payload
  • signature (using realm RSA public key)

2) Retrieving Realm RSA public key

The realm RSA public key is retrieved from the endpoint

  • http://localhost:8080/auth/realms/master/protocol/openid-connect/certs

3. Obtaining a certificate file for the realm public key (.pem format)

The x5c filed value is copied between —–BEGIN CERTIFICATE—–

—–END CERTIFICATE—– directives .

4. Displaying and verifying the access token (using

This is done in 3 steps :

  • (1) getting hold of the access token
    • This will allow to display all teh access token field
  • (2) verification of the access token fields
    • The validation of the access token consists also of verifying each of the fields
      (Such a task can be done either by keycloak, or locally by program)
  • (3) Signature verification
    • This step is done using the realm RSA public key obtained previously

5. Illustration using

The allow to display the information of the access token, and verify the signature.

5.1 Displaying the access token

The access_token is copied into the debugger.
The access token fields ae displayed, and invalid signature is reported , as the signature field has not yet been completed.

keycloak access token and performing signature verification
5.2 Validating the signature

The signature is validated by copying teh PEM certificate obtained previously in the verify signature section (public key section)

Once this is done, the signature toggles to « Signature verified » to idicate that the access token signature has been verified.

Keycloak Access Token verification example
Olivier Rivat

Les derniers articles par Olivier Rivat (tout voir)