A morning rabbit hole because quite frankly, I forgot how to verify a RS256-signed JWT from application code... and I work at an auth company.
Snooping around
Log in to https://console.neon.tech — my guinea pig — poke around for my own authentication details.
Grab the keycloak_token
cookie, URL-decoded:
Decode the access token to glean some information, like where the public key for JWT verification might be:
- For
jwt
, see jwt-cli tool. - See the
azp
claim:neon-console
(for token refresh, later) - See the
iss
claim: https://console.neon.tech/realms/prod-realm
Visit https://console.neon.tech/realms/prod-realm:
Ask ChatGPT what format the public key is in, and be told that it's Base64-encoded PEM format.
Tell ChatGPT that base64-decoding returns gibberish, and be told that it's DER-encoded and receive a neat trick to inspect.
Google "keycloak well known", and find the rest of the endpoints:
Access token
Verify access from the perspective of some application code — something that I’m more familiar with...
If all is good, this should succeed, or throw a JWTExpired
error — the access token
is only valid for 5 minutes, which you can see by subtracting the iat
claim from the exp
claim.
Refresh token
Google how to refresh an access token with keycloak.
Land on https://stackoverflow.com/questions/51386337/refresh-access-token-via-refresh-token-in-keycloak
- I guessed
client_id
based on theazp
claim from the decoded access token. grant_type
isrefresh_token
based on the StackOverflow post.refresh_token
is theRefreshToken
from the cookie.
Voilà! Get a fresh access token.
Conclusion
I refreshed one piece of knowledge, and learned a handful new things — keycloak and an openssl trick.