How to check Jwt(Keycloak) for validity?

I

IvanN7772022-04-18 16:16:42

Java

IvanN777, 2022-04-18 16:16:42

How to check that JWT is not compromised?
At the entrance I get a token with information about the user

***
The first thing that came to mind

String[] chunks = token.split("\\.");
Base64.Decoder decoder = Base64.getUrlDecoder();

String palyload = new String(decoder.decode(chunks[1]));
String header = new String(decoder.decode(chunks[0]));

String unsignedToken = new String(Base64.getEncoder().encode(header)) + '.' + new String(Base64.getEncoder().encode(payload));
HMAC-SHA256(unsignedToken, SECRET_KEY)

However, SECRET_KEY must also be obtained from Keyckloak .
Am I going in the right direction?
If yes, then no one knows how to get this secret.
-------------------------------------------------- -----
Perhaps there is another, more correct way to check the access token.

PS You can throw off the material or the dock. I'm trying to understand the material, but so far I'm drowning in it.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

S

Sergey Gornostaev, 2022-04-18
@sergey-gornostaev

The application must know the SECRET_KEY, it must not be transmitted over the network. Well, it's better to take a ready-made library for working with JWT, and not reinvent the wheel.