I am trying to validate the token received from the keycloak. I have created TestClient as the client, TestRealm as the realm and "user" as the user. While validating the received token, I am hitting this endpoint- http://localhost:8080/auth/realms/TestRealm/protocol/openid-connect/userinfo.
In the response instead of receiving the actual user details, I am receiving this response everytime:
{
"sub": "xxxx-xxxx-xxxx-xxxx-xxxxxx",
"email_verified": false,
"preferred_username": "service-account-testclient"
}
Can someone explain?
I wouldn't say that you are doing a token validation. Token validation requires token signature verification (against used realm public key usually).
You are just calling standard OIDC userinfo endpoint with token in the auth header and Keycloak must execute a token validation as part of request processing. Userinfo response depends on your Keycloak client configuration (mappers, scopes, ...).
So when you are getting userinfo response with http code 200, then token must be valid. But don't use userinfo for "token validation" - it will increase Keycloak load unnecessary, it is slow approach, userinfo endpoint is not designated for that, .... Do a offline, stateless, quick token signature verification. It should be a standard feature of all OIDC libraries.
But I didn't see any endpoint where I can validate it. Can you point out some resource where I can learn to do the same?
@KshitizSharma there is no validation endpoint. Download realm public key and verify signature in your own code (without calling any endpoint).