Check JWT/authentication validity from a business module integrated in opfab

[alicecaron]

To check user authorizations on an opfab integrated app , we use on every endpoints a check to decode the Bearer that contains the jwt token stored on the local storage of the front end interface.
The token conatins the user roles and has a signature to guarantee its authenticity.

To check the validity of the token a call is always send to opfab /auth/check_token which is redirected to a keycloak endpoint thanks to nginx redirection:

location /auth/check_token {
    proxy_set_header Host $http_host;
    proxy_set_header Authorization $BasicValue ;
    proxy_pass $KeycloakOpenIdConnect/token/introspect;
  }

If the token is still valid on keycloak, then the token is considered valid and the payload is used to get the connected user data ("realm_access": {"roles": [...]]}) which let us decide if the user is authorized to do the call he is sending to the app.

The problem is the validity of the session was too small on keycloak (30 min) so we increased it to 7 days.

Do we have to deal without keaycloak auth/check_token (token/introspect) or continue to valid the user with it in order to always check the user rights access?

How can we go free from keycloak check and potential timeout when opfab still authorizes the token?
We could only check the signature of the JWT token to be sure it has not been corrupted. What is the best practice then? We shoul know the Opfab/keycloak jwt secret in this case I guess.

[freddidierRTE]

To be coherent with opfab way of doing , you just have to check the signature .
The only drawback i see is : if you remove the user from keycloack , his token will still be valid and the user may continue to access to the application until the end of the token validity.