Keycloak Token Verify icon

Keycloak Token Verify

Verify token validity in Keycloak
Join our community

Overview

This node verifies the validity of a token against a Keycloak server. It is useful in scenarios where you need to authenticate or authorize API requests by checking if a provided token is active and valid within a specified Keycloak realm. For example, it can be used in workflows that require validating user sessions or API tokens before proceeding with sensitive operations.

The node extracts a token from incoming data, removes any "Bearer" prefix, and sends it to Keycloak's token introspection endpoint. Based on the response, it routes the data into one of three outputs: valid tokens, invalid tokens, or errors.

Properties

Name Meaning
Token Key The key path in the input data where the token is located. The "Bearer" keyword is removed. Example default: headers.authorization
Realm The Keycloak realm to check the token against. If empty, the default realm from credentials is used.

Output

The node has three outputs:

  1. ok: Items with tokens verified as valid by Keycloak. Each item's JSON contains a result field set to true, a message confirming validity, and the full response from Keycloak under response.
  2. ko: Items with tokens found invalid by Keycloak. Each item's JSON contains a result field set to false, a message indicating invalidity, and the full response from Keycloak.
  3. error: Items for which an error occurred during verification. The JSON includes result set to false and an error message.

The json output field structure for each item includes:

{
  "result": true | false,
  "message": "token is valid in Keycloak." | "token is invalid in Keycloak." | "<error message>",
  "response": { /* full Keycloak introspection response object */ }
}

No binary data output is produced by this node.

Dependencies

  • Requires a Keycloak server URL, client ID, client secret, and optionally a default realm configured via credentials.
  • Uses Keycloak's OpenID Connect token introspection endpoint.
  • Needs an API authentication token (client ID and secret) for Basic Auth in the request header.
  • Requires n8n HTTP request helper to send POST requests with form-urlencoded body.

Troubleshooting

  • Empty token error: If the token extracted from the specified key is empty or missing, the node throws an error "token is empty." Ensure the input data contains the token at the correct path.
  • Invalid credentials or server URL: If the Keycloak credentials are incorrect or the server URL is unreachable, the request will fail. Verify credentials and network connectivity.
  • Incorrect realm: If the realm parameter is wrong or missing and no default realm is set in credentials, token verification may fail.
  • Malformed token: Tokens must not include the "Bearer" prefix; the node automatically removes it but malformed tokens may cause introspection failure.
  • Error output: Any unexpected errors during execution route items to the error output with the error message for easier debugging.

Links and References

Discussion