Closed ClementGayet closed 5 months ago
Sorry, I'm not able to understand your use case from your description.
could not be added to the token introspection
Can you explain what you have configured and what you are hoping to achieve?
I've created an API client to secure my application. This client uses the Authorization Code flow for user login, integrating with Keycloak. Users can create tenants through the API, which then creates an organization in Keycloak using the Organizations API and assigns the user as an admin. Once this is done, the user becomes a member of the newly created organization. The goal is to retrieve organization data from the JWT token to ensure users only access their own tenant resources.
To achieve this, I added a mapper to include organization details in the JWT token. The mapper configuration is shown below:
When decoding the JWT token on jwt.io, the data appears as expected:
{
"boseat": {
"tenant": "{1392533d-acb6-48a6-a0f2-e0637c1a2465={name=name, attributes={account.id=[111]}}}"
}
}
However, when my backend introspects this token, the field "boseat.tenant" is not returned by the introspection endpoint.
Questions: Is retrieving data from the introspection endpoint the correct approach? Is it secure to decode the JWT and extract the data directly, or should I use a different method to verify the token's validity and retrieve the necessary information? Any guidance on how to resolve this issue and ensure secure and correct data retrieval would be greatly appreciated.
I understand, thank you for the detail.
Is it secure to decode the JWT and extract the data directly, or should I use a different method to verify the token's validity and retrieve the necessary information?
The JWT is signed, so your application can check the signature and use the data directly. There is no need to use the introspection endpoint to verify a JWT.
Thanks, i just implemented that using jose in javascript which got function to get the jwks from the keycloak directly
Hi,
I wondering why protocol mapper on organization could not be added to the token introspection? I got a backend that check token validity with the introspection but i can't retreive the organization data hosted on keycloak, should i need to add a http call to the userInfo endpoint ? Or is it a bug ?
Best regards,