Answer the question
In order to leave comments, you need to log in
I
I
IvanN7772022-04-18 16:16:42
IvanN777, 2022-04-18 16:16:42
How to check Jwt(Keycloak) for validity?
How to check that JWT is not compromised?
At the entrance I get a token with information about the user
***
The first thing that came to mind
String[] chunks = token.split("\\.");
Base64.Decoder decoder = Base64.getUrlDecoder();
String palyload = new String(decoder.decode(chunks[1]));
String header = new String(decoder.decode(chunks[0]));
String unsignedToken = new String(Base64.getEncoder().encode(header)) + '.' + new String(Base64.getEncoder().encode(payload));
HMAC-SHA256(unsignedToken, SECRET_KEY)However, SECRET_KEY must also be obtained from Keyckloak .
Am I going in the right direction?
If yes, then no one knows how to get this secret.
-------------------------------------------------- -----
Perhaps there is another, more correct way to check the access token.
PS You can throw off the material or the dock. I'm trying to understand the material, but so far I'm drowning in it.
1 answer(s)
@sergey-gornostaev
S
Sergey Gornostaev, 2022-04-18 @sergey-gornostaev
The application must know the SECRET_KEY, it must not be transmitted over the network. Well, it's better to take a ready-made library for working with JWT, and not reinvent the wheel.
Similar questions
I
E
B
T
B
Boris Khripko2017-03-30 17:52:23
How to call one constructor from another with a final variable?
1Reply
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question