[keycloak-user] JWT signature verification failure
bburke at redhat.com
Tue Nov 11 20:58:47 EST 2014
In the meantime, you could use our impl until I fix it.
On 11/11/2014 8:55 PM, Bill Burke wrote:
> Looking at jjwt, they do this algorithm:
> sign(base64enocdedheader + "." + bsase64encodedContent)
> We just sign the content. Just verified that our impl is wrong. I'll
> fix this for next release.
> On 11/11/2014 7:50 PM, Richard Rattigan wrote:
>> I’m trying to verify keycloak jwt signatures in a Java/Groovy, but I’m
>> not succeeding. I’m new to crypto, so maybe I’m doing something stupid.
>> This is Groovy code. realmPublicKey is the publicKey string from the
>> realm REST response. I’m using the jjwt library to parse the tokens, but
>> I get the same result (signature verification failure) with the nimbus
>> Security.addProvider(new BouncyCastleProvider())
>> def publicKey = KeyFactory
>> .getInstance("RSA", "BC")
>> def claims = Jwts.parser().setSigningKey(publicKey).parse(accessToken)
>> I get an exception during the parse:
>> io.jsonwebtoken.SignatureException: JWT signature does not match locally
>> computed signature. JWT validity cannot be asserted and should not be
>> Is anyone able to see what I’m doing wrong here?
>> *Richard Rattigan*
>> Sonos | Sr. Software Engineer | Skype: Richard.RattiganSonos
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
JBoss, a division of Red Hat
More information about the keycloak-user