-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement: Use OID Public Key from Keycloak Realm URL #9
Comments
Hi! I'm not sure to understand the use cases behind this way of doing… If you want to do it anyway, this feels actually quite simple to implement on you side:
|
Indeed - there is little point in having the app reach out to KeyCloak for anything else when the JWT fails signature verification.
Not necessarily - especially if you are managing the realm keys yourself. This looks like it was mentioned a while back in the docs (version 2.3.0):
In particular - fetching the public key from KeyCloak would simplify some things when the public key is rotated.
Looks like they acknowledge this in the release notes linked above as well.
This is exactly my approach so far. The only real issue here is having the app fail to start if the KeyCloak server is unreachable at start time. This was my motivation for opening this issue - to see what thoughts there might be to optionally move PK fetching directly into the middleware. |
Thanks for documenting it, I did not know. I went for manually pre sharing the public key mainly because of 3 things:
That being said, how do you think starting the app should behave when Keycloak is down?
|
Apologies for the delayed response.
I think these all completely make sense. I will be revisiting this in the next few weeks and will follow up - thank you again for sharing and maintaining this crate!! |
Thank you for taking the time to write this library!
What are your thoughts on making the OID Public Key optional for JWT signature verification-- pulling from the keycloak API at runtime instead?
For instance, the following response comes from the realm URL:
http://localhost:8080/auth/realms/master
In this case, we could pull
public_key
from the response automatically, rather than requiring its presence when constructing theKeycloakAuth
struct.The text was updated successfully, but these errors were encountered: