How to verify a JWT token in Java | JWT, Keycloak, RSA256 and Auth0
ฝัง
- เผยแพร่เมื่อ 2 มิ.ย. 2024
- In this video, I will show you how to validate the JWT token in a Java application. We will use the Auth0 library to check if a Keycloak issued JWT token comes from a trusted issuer if the signature verification (RSA256 in this case) is correct and if the token has not expired yet.
As part of the process, we will also load the Keycloak public key and talk about storing the public key locally and how to make everything faster with guava cache.
We will wrap everything in a nice JwtValidator class to be used anywhere you want to.
What are JWT tokens and how to use them: • What is JWT? The JSON ...
Code example: github.com/ps-after-hours/jwt...
#quadmeup #jwt #keycloak
If you want to support me:
✅ Patreon / pawelspychalski
✅ Banggood affiliate bit.ly/2P8oAxr
✅ Paypal paypal.me/pawelspychalski
▶ Discord server quadmeup.com/discord
▶ My website quadmeup.com/
What are JWT tokens and how to use them: th-cam.com/video/9nBu5qtVxMM/w-d-xo.html
excellent video explaining what is required to validate the token.
most explained video on TH-cam for jwt validation.
This video and supplies code was very helpful to me. Thanks!
You made it absolutely clear, Thanks !
Glad it helped!
Thank you, so much sir.
This really helps me, I can now go to bed peacefully 😅
Explained very nicely. I have some points though, I am actually interested as Keycloak was mentioned.
1. ES256 algo curve P-256 public key using OpenSSL commands import the public key in keycloak throws an error.
InvalidKeySpecException: Encode key spec did not recognize: algorithm identifiers *****
2. RS/HS256 JWT is working.
3. Added ES256 provider in Keycloak.
Am I supposed to make some custom implementation in keycloak adapters?
Thank you so much. That is great!
Thanks
Salute for you🙏🏻 saved me
glad I could help1
Much Thanks 🙏🏻
You're welcome!
How to deactivate JWT at backend? It is needed to blacklist them?
Are we forced to log out at frontend-only (by deleting token from our client)?
1 - keep access token short lived - if you deactivate the user then he would have to relogin with refresh token
2 - token can not be revoked. You can have a "blacklist" of revoked tokens, but if they are short lived (a few seconds) that it makes no sense to be honest
3 - if user logs out, then you have to remove the token from the client (assuming you have the control over the client app)
Cool🎉❤
Pawel i try to contact you about somethings. Is there any email adres to contact you?
sure, pspychalski@gmail.com