How to decode an "Access Token" received from Authorization Server like Keycloak?

Hi Everyone,

I am building an API in Node-Red and i would like to protect the API using Keycloak.

I am calling the API from Postman where i could provide authorization data like (Grant Type, Access Token URL, Client ID, Client Secret, Username, Password) by selecting Authorizazion Type as "OAuth 2.0".

With these details, i could get an "access token" from Keycloak. I could also send this access token to my API (running on Node-Red) through a GET request to the URL of my API.
But, i could not decode this access token in Node-Red in order to get my user information like username, email etc from the access token.

I have tried using 'node-red-contrib-auth' and 'node-red-contrib-jwt' nodes. There is a field called 'secret' on both of these nodes. I am not quiet sure what information should i enter there and i am also not sure if these are the right nodes to use for decoding "access token".

I am looking for a proper solution to decode the access token.
I would really appreciate any help.


The most robust solution is not to do the authorisation part in Node-RED but rather via a proxy such as with NGINX or Caddy. There are plenty of articles about using Keycloak with NGINX for example. There are threads in the forum that describe using NGINX or Caddy with Node-RED as a reverse proxy so all you need to do is to add the OAuth processing to the appropriate path.

The uibuilder Tech Docs also have an article. It is aimed at uibuilder users but most of it is common for Node-RED anyway. How to use NGINX as a reverse proxy with TLS and identity authentication (

Thank you very much for the information. I will have a look at it. I really appreciate your help. Thanks again :slightly_smiling_face:

I would also kindly like to know the way to do the Authotization part in Node-Red using Keycloak. Can you please provide me some information on it as well?

Thanks again in advance.

Best Regards,

I'm afraid not, I've not looked at that and don't do authorisation in Node-RED.

I must assume you're getting a json-web-token (JWT) as a grant. It is unclear to me after reading your post.

If it's a JWT, you will see 3 long strings, separated by a dot. Each string is known as: header, payload and signature.

If you want to decode a JWT, first you need to know the algorithm used. If you don't know the one used, you can test the token you get here: and do some testings.

Copy and paste the token you got, then try different algorithms and you (hopefully) will find the one used; you will see if the claim you are expecting is inside the encoded token.

Thank you for your response.
Yes, i am getting JWT as grant from Keycloak. The access token is prefixed with term "Bearer". The algorithm being used is "RS256". I can also see the claims which contains the user information through the link ( you have provided. To decode JWT, i am using "jwt verify" node from (node-red-contrib-jwt). I need to provide some configuration details on this node like Algorithm used, Key file, Secret and so on. I could set the algorithm used to "RS256", but i am not sure what values to set for Key and Secret. Does attribute "n" in signature string represent Secret? Or is it the secret that is generated from keycloak for a client? And what should i set for Key?

Thank you once again.

Here is the gory detail if you can decode it:

API login and JWT token generation using Keycloak | Red Hat Developer

Sorry, I've never used the module node-red-contrib-jwt

If the module is not providing the documentation / guide you need to set it up, I'd raise an issue on its repo and ask the maintainers.

Yeah, the documentation for the module node-red-contrib-jwt is not clear.
It took me a while to understand the module. So i found a solution to use it. If "JWK URL" is provided together with the algorithm used, then it is not necessary to provide other details such as "Secret" , "Key file".
I am using Keycloak as authorization server so for me, the module configuration would be:
"JWK URL" : "http://localhost:8080/auth/realms/{my_realm}/protocol/openid-connect/certs" ,
algorithm: "RS256".
The access token to decode is stored in msg.payload (Verify) and the decoded token is stored on msg.token (Store Token).

I hope it helps, thanks

Best Regards,

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.