I am looking for a way to validate an ID token without calling the IdP. The client app and the IdP run inside a controlled environment. For this reason, I want to validate the access token from OIDC, provided by Keycloak, direct in my Middleware. For performance reasons I dont want to call the OIDC endpoint from Keycloak again to validate an existing id/access token.
Is this possible? What for information does the middleware need?
PS I am looking for an PHP implementation :)
If you can include the public signing key in the client, then you can validate all the tokens offline. There are plenty of JWT-token libraries out there that can do that for you.
The most common case is that the client downloads the public key, but there is nothing stopping you from including it in the client. Just be careful if you update the keys in Keycloak, that you also update the client key.
To identify the user, classic session cookies are typically used. Using cookies is a well proven and secure way to identify the user after he has logged in. Assuming you protect the cookies in the right way. (samesite, secure, httponly)
This is a good video on the topic:
