1
votes

I am new to OpenID Connect and keycloak.

I have two questions: Does my application have to verify with the openid connect provider (OP) - Keycloak in this case for every API call to my application? This may impose a lot of load on the OP. Alternatively, does my app have to rely on the expiry of the token that was obtained when the user first tried to connect to my application?

If my application (RP) relies on token expiry, how will revocation of an user at the OP will work? Does my application know about the revocation only after the expiry of the token or does the OP notify the registered application when the user is revoked?

2

2 Answers

1
votes

No, your application can verify the tokens offline with the public key of the issuing realm which Keycloak exposes via its API.

You can find that in the docs: https://www.keycloak.org/docs/latest/securing_apps/index.html#validating-access-tokens

In that case you have to rely on the token expiry. Usually that should be no big issue when the expiration time is short. When your application is validating tokens locally, I'm currently not aware of any solution to get notified about the revocation. If short token expiration times are not enough for you to mitigate this problem, you have to call the token introspection endpoint for every request.

0
votes

Verification against OP depends on your exact requirement and the token type you use. If you want end user information related to access token, then you must invoke user information endpoint. This can only be done when access token is valid. Introspection endpoint can be used to validate access token only.

But if you are using JWT access tokens, you can rely on JWT validation without the need to call any other API. But of course you need the token signing certificate data. This can be a one time request since certificate rollovers does not occur frequently.

Regarding user revocation, there is no standard way to detect this other than using a standard API (token introspection , userinfo endpoint). Even JWT validation does not allow you to verify such situation. But, having shorter token life time (ex:- 30 mints) and using refresh token can allow you to detect such situation. Refresh token request must fail if correlated user is revoked.!