Use token introspection endpoint instead of userinfo

backend/src/kcAdminClient.ts

@@ -2,6 +2,9 @@ import KeycloakAdminClient from "@keycloak/keycloak-admin-client";
 
 export const keycloakUri = process.env.KEYCLOAK_URI || "http://localhost:3000";
 export const keycloakIssuer = process.env.KEYCLOAK_ISSUER || keycloakUri;
+export const keycloakCredentials = Buffer.from(
+  `mercury-backend:${process.env.CLIENT_SECRET}`,
+).toString("base64");
 
 const kcAdminClient = new KeycloakAdminClient({
   baseUrl: keycloakUri,

backend/src/misc/jwt.ts

@@ -4,7 +4,11 @@ import { AuthResponse, CustomResponse } from "../models/Response.js";
 import DecodedData from "../models/DecodedData.js";
 import Issuer from "../models/Issuer.js";
 import TokenPayload from "../models/TokenPayload.js";
-import { keycloakIssuer, keycloakUri } from "../kcAdminClient.js";
+import {
+  keycloakCredentials,
+  keycloakIssuer,
+  keycloakUri,
+} from "../kcAdminClient.js";
 
 export interface JWTRequest extends Request {
   token?: TokenPayload;
@@ -37,12 +41,14 @@ function tokenIssuerToName(issuer: string): Issuer | "unknown" {
 
 export async function verifyKeycloakToken(tokenStr: string): Promise<boolean> {
   const response = await fetch(
-    `${keycloakUri}/realms/mercury/protocol/openid-connect/userinfo`,
+    `${keycloakUri}/realms/mercury/protocol/openid-connect/token/introspect`,
     {
-      method: "GET",
+      method: "POST",
       headers: {
-        "Authorization": `Bearer ${tokenStr}`,
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Authorization": `Basic ${keycloakCredentials}`,
       },
+      body: `token=${tokenStr}`,
     },
   );