In the previous example, we covered how to use Keycloak to authenticate and authorize requests using a bearer token. A bearer token alone, however, is a simplified security schema since it's based on exchanging a potentially arbitrary string.
Any client in possession of a valid bearer token can use it to get access to the associated resources without demonstrating his/her identity, which can only be verified with a cryptographic key. In order to fill this gap, we will learn how to use JSON Web Tokens (JWTs), an encoding standard for tokens, using a JSON data payload that can be signed and encrypted. A JWT includes the following sections:
- Header: This is a Base64-encoded string and consists ...