![]() Log.Fatalf("Failed to create JWKS from resource at the given URL.\nError: %s", err.Error()) Jwks, err := keyfunc.Get(jwksURL, options) ![]() Create the JWKS from the resource at the given URL. Log.Printf("There was an error with the jwt.KeyFunc\nError: %s", err.Error()) Refresh the JWKS every hour and log errors. JwksURL := " // Create the keyfunc options. This is a local Keycloak JWKS endpoint for the master realm. I've updated the project from my original answer to use this method. I'd use this method if your security requirements permit. Pros: No network activity between Golang code and Keycloak every time there is a JWT.Ĭons: If Keycloak withdraws permissions from someone, the Golang code will keep authorizing requests until all there JWTs are expired. You can then extract the required info for authorization. You can Ctrl + F to find details on Keycloak + JWKS.Īfter parsing and validating the token, you can then extract the claims. First things first, you need to find your Keycloak application's JWKS URL. This one doesn't involve network activity to your Keycloak server each time. This should be the desired solution if it fits your use case as it will cover the namespace and you don't have to write the code for it. The Golang code will read this authorization info after it has authenticated the JWTs.īefore I get started, there's a non-Golang method if you are using Kubernetes + Istio. Keycloak can be configured to put all authorization info into the JWTs it signs. There are two methods you could use, if you are using Golang + JWTs, I call them the "passive" and "active" check. I'm giving details on how to authenticate requests and hinting at authorization, because that's more project specific. I've got a hopefully good answer for you, as I've done this professionally as well as in a personal project.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |