Token Validation

Validate JWT algorithm and structure in token responses from Keycloak.

Requirements Coverage

REQ-TOKEN-001

Enforce allowed JWT signing algorithms

REQ-TOKEN-002

Validate token lifetime against configurable maximum

REQ-TOKEN-003

Detect claim leakage in token payload

REQ-TOKEN-004

Enforce maximum token size

REQ-TOKEN-005

Validate JWT structure

REQ-TOKEN-006

Block tokens with malformed characters

Test Examples

TOKEN-001BLOCKED

'none' algorithm blocked in response

Sample Request

# Response from Keycloak contains token with alg: none
# ALG detects and blocks before forwarding to client

Expected Response

{"error":"server_error","error_description":"Token algorithm 'none' is not allowed"}
TOKEN-002BLOCKED

Oversized token blocked

Sample Request

# Response from Keycloak contains token > max_token_size_bytes
# ALG detects role/claim enrichment abuse

Expected Response

{"error":"server_error","error_description":"Token size exceeds maximum allowed size"}