Using JWT to login to webUI?


is there a way to login to the webUI with JWT token? I have configured Keycloak instance and I have configured PI_TRUSTED_JWT for role “user” and username “*”.

However, when I open the webUI with my Keycloak SSO session active, privacyIDEA is still asking for username and password.

Is there anything else what I need to do in addition to the configuration of “PI_TRUSTED_JWT” ? Maybe a specific openid-connect client for privacyidea and opening webUI from Keycloak somehow?


Or do I need something like GitHub - krinklesaurus/jwt-proxy: jwt-proxy is a small OAuth2 proxy service that wraps OAuth access tokens from 3rd party OAuth providers like Google, Facebook or Github into signed JWT tokens between Keycloak and privacyIDEA?

this is an interesting aspect. We did not have this is mind and we did not explicitly implement this. So it could very much be, that it currently does not work.

The TRUSTED_JWT are designed to impersonate users on an API level and is successfully used this way.

The WebUI sends the JWT with each REST request.
However, the WebUI generated the JWT itself.
The webui is an SPA all data is stored int he tab context of the browser.
The JWT is stored in the User-object of the logged in user in the attribute auth_token.
This is then used for each request.

Where does actually your JWT come from?
How is it available in the browser context?

You would have to “inject” this into the User.auth_token.

I am not sure if I still fully understand this.

If the JWT is generating the token, which private key is used for signing? All I have found was setting of the public key.

Once JWT token exists, user is fully authenticated right?

Let’s say I have a proxy, that connects to an Oauth2 provider, for example Keycloak:

If JWT does exist, it just validates it against choosen public key and passes connection through.
If JWT does not exist, it lets user authenticate via Oauth2 (redirect to IDP) and issues JWT with data from Oauth provider (username, … ). This JWT is signed with private key stored on proxy or on IDP. (In fact the JWT itself is commonly generated on the IDP, some service just needs to redirect user to IDP with correct parameters)

PrivacyIDEA webUI then validates the JWT with configured public key and if it is valid, authenticates user.

Or instead of proxy, privacyIDEA could support this authentication natively.

For more information, check

You can call each and every REST enpoint with the JWT in the Authorization header. So this is absoltely no problem, and from scanning over it, this is what the linked medium article suggests - calling a REST API.

What currently does not work with privacyIDEA is:

  • Calling the main page, which is the WebUI and passing somehow the JWT.

To allow using a JWT contained in the Authorizatoin header in this initial call, the privacyIDEA login page needs to be enhanced.

I am current not sure in detail how this should work in detail.

Ah, thank you for the valuable insight!

Do you think, that it is feasible for a feature request on GitHub? I might be able to make some code :slight_smile: for some initial implementation, with a little mentoring help.

Thanks again!

There is nothing to loose giving it a try.