[keycloak-user] Validating JWT tokens

Thomas Darimont thomas.darimont at googlemail.com
Wed May 11 05:09:46 EDT 2016


Hello,

another example for (Parsing) & Validating a Keycloak JWT was posted on the
ML a few months ago:
http://lists.jboss.org/pipermail/keycloak-user/2016-March/005325.html

In the example the token is only successfully parsed when the token is
valid.

Cheers,
Thomas

2016-05-11 10:45 GMT+02:00 Gerard Laissard <glaissard at axway.com>:

>
>
> My 2 cents:
>
> There is an openSSL example to verify a jwt:
>
> https://gist.github.com/rolandyoung/176dd310a6948e094be6
>
>
>
> By using jose4j
>
>         // be sure you do not have any EOL at the end of the token
>
> String accesToken = …;
>
> accesToken = accesToken.replaceAll("\r\n", "");
>
> accesToken = accesToken.replaceAll("\n", "");
>
>
>
> JsonWebSignature jws = *new* JsonWebSignature();
>
> jws.setCompactSerialization(accesToken);
>
> jws.setKey(publicKey);
>
> boolean signatureVerified = jws.verifySignature();
>
> To get a PublicKey : if you put the content of the realm public you get
> from keycloak admin
>
>          *public* PublicKey getPublicKey(String fileName) {
>
> File f = *new* File(fileName);
>
> *try* (FileInputStream fis = *new* FileInputStream(f);
>
> DataInputStream dis = *new* DataInputStream(fis);) {
>
>                *byte*[] keyBytes = *new* *byte*[(*int*) f.length()];
>
>                dis.readFully(keyBytes);
>
>                dis.close();
>
>                // convert to der format
>
>                String pem = new String(keyBytes);
>
>                pem = pem.replaceAll("-----BEGIN (.*)-----", "");
>
>                pem = pem.replaceAll("-----END (.*)----", "");
>
>                pem = pem.replaceAll("\r\n", "");
>
>                pem = pem.replaceAll("\n", "");
>
>                 byte[] der = Base64.getDecoder().decode(pem); // java 8
>
>                X509EncodedKeySpec spec = *new* X509EncodedKeySpec(der);
>
>                KeyFactory kf = KeyFactory.*getInstance*(*RSA*);
>
>                *return* kf.generatePublic(spec);
>
>
>
>         } *catch* (IOException | InvalidKeySpecException |
> NoSuchAlgorithmException e) {
>
>                 *throw* *new* RuntimeException("Failed to load public key
> from file '" + fileName + "'", e);
>
>         }
>
>         }
>
>
>
> With Java 8, it is quite simple too
>
>                String[]  tokenParts  = accessToken.split("\\.");
>
> // detect algo from tokenParts[0] or put "SHA256withRSA” (for “RS256”)
>
>                     String jwtSignAlgo = "SHA256withRSA";
>
>          String jwtInputString = tokenParts[0] + “.” + tokenParts[1];
>
>          String jwtDecodedSign = new
> String(Base64.getUrlDecoder().decode(tokenParts[2]);
>
>          Signature verifier = Signature.getInstance(jwtSignAlgo);
>
>          verifier.initVerify(publicKey);
>
>          verifier.update(jwtInputString.getBytes("UTF-8"));
>
>          boolean signatureVerified = verifier.verify(jwtDecodedSign);
>
>
>
>
>
> gerard
>
>
>
>
>
> *From:* keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Stian Thorgersen
> *Sent:* vendredi 6 mai 2016 07:33
> *To:* Aikeaguinea
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Validating JWT tokens
>
>
>
>
>
>
>
> On 4 May 2016 at 18:37, Aikeaguinea <aikeaguinea at xsmail.com> wrote:
>
> Figured it out, kinda. I have to use the Realm public key, and at least
> in jwt.io it has to begin with "-----BEGIN PUBLIC KEY-----" and end with
> "-----END PUBLIC KEY-----" -- these can't be omitted.
>
> If I try using the Realm certificate, it won't work, however, whether or
> not I use "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----".
>
> If I use the validator at http://kjur.github.io/jsjws/tool_jwt.html and
> select "default X509 Certificate (RSA z4) it tells me "Error: malformed
> X.509 certificate PEM (code:003)"
>
> I can use the Realm public key for validating the JWT, but shouldn't the
> certificate work as well?
>
>
>
> The certificate is only used by SAML, so no you can't verify the JWT with
> the certificate only the public key.
>
>
>
>
> On Wed, May 4, 2016, at 12:00 PM, Aikeaguinea wrote:
> > I have a client with a service account and credentials using Signed Jwt.
> > Authentication works fine. The service uses
> >
> org.keycloak.adapters.authentication.ClientCredentialsProviderUtils#setClientCredentials
> > to create the JWT token and set the headers, and I get back a JWT
> > containing an access token from Keycloak.
> >
> > However, when I use jwt.io to look at the access token, I can't validate
> > the signature. This is true whether I use the client Certificate (from
> > the client's Credentials tab), the Realm public key, or the Realm
> > Certificate. In addition, I have generated the client's public key from
> > the certificate using
> >
> > keytool -exportcert -alias x -keypass y -storepass z -rfc -keystore
> > client-keystore.jks | openssl x509 -inform pem -pubkey
> >
> > on the jks file supplied when I generated the client credentials, and
> > that doesn't work either.
> >
> > We've also been having trouble validating the signature programmatically
> > using Java.
> >
> > Any idea why I might be seeing this?
> >
> > --
> > http://www.fastmail.com - Or how I learned to stop worrying and
> >                           love email again
> >
>
>
> --
>   Aikeaguinea
>   aikeaguinea at xsmail.com
>
> --
> http://www.fastmail.com - Send your email first class
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160511/72411397/attachment-0001.html 


More information about the keycloak-user mailing list