[keycloak-user] Validating JWT tokens

Josh Cain josh.cain at redhat.com
Wed May 11 09:50:43 EDT 2016 

I recently put together a quick test for this as well using jjwt:
https://github.com/cainj13/jwtExamples/blob/master/src/test/java/jcain/example/TokenParseTest.java

Pretty similar to the gist that Thomas mentioned above.

Josh Cain | Software Applications Engineer
*Identity and Access Management*
*Red Hat*
+1 843-737-1735

On Wed, May 11, 2016 at 4:09 AM, Thomas Darimont <
thomas.darimont at googlemail.com> wrote:

> Hello,
>
> another example for (Parsing) & Validating a Keycloak JWT was posted on
> the ML a few months ago:
> http://lists.jboss.org/pipermail/keycloak-user/2016-March/005325.html
>
> In the example the token is only successfully parsed when the token is
> valid.
>
> Cheers,
> Thomas
>
> 2016-05-11 10:45 GMT+02:00 Gerard Laissard <glaissard at axway.com>:
>
>>
>>
>> My 2 cents:
>>
>> There is an openSSL example to verify a jwt:
>>
>> https://gist.github.com/rolandyoung/176dd310a6948e094be6
>>
>>
>>
>> By using jose4j
>>
>>         // be sure you do not have any EOL at the end of the token
>>
>> String accesToken = …;
>>
>> accesToken = accesToken.replaceAll("\r\n", "");
>>
>> accesToken = accesToken.replaceAll("\n", "");
>>
>>
>>
>> JsonWebSignature jws = *new* JsonWebSignature();
>>
>> jws.setCompactSerialization(accesToken);
>>
>> jws.setKey(publicKey);
>>
>> boolean signatureVerified = jws.verifySignature();
>>
>> To get a PublicKey : if you put the content of the realm public you get
>> from keycloak admin
>>
>>          *public* PublicKey getPublicKey(String fileName) {
>>
>> File f = *new* File(fileName);
>>
>> *try* (FileInputStream fis = *new* FileInputStream(f);
>>
>> DataInputStream dis = *new* DataInputStream(fis);) {
>>
>>                *byte*[] keyBytes = *new* *byte*[(*int*) f.length()];
>>
>>                dis.readFully(keyBytes);
>>
>>                dis.close();
>>
>>                // convert to der format
>>
>>                String pem = new String(keyBytes);
>>
>>                pem = pem.replaceAll("-----BEGIN (.*)-----", "");
>>
>>                pem = pem.replaceAll("-----END (.*)----", "");
>>
>>                pem = pem.replaceAll("\r\n", "");
>>
>>                pem = pem.replaceAll("\n", "");
>>
>>                 byte[] der = Base64.getDecoder().decode(pem); // java 8
>>
>>                X509EncodedKeySpec spec = *new* X509EncodedKeySpec(der);
>>
>>                KeyFactory kf = KeyFactory.*getInstance*(*RSA*);
>>
>>                *return* kf.generatePublic(spec);
>>
>>
>>
>>         } *catch* (IOException | InvalidKeySpecException |
>> NoSuchAlgorithmException e) {
>>
>>                 *throw* *new* RuntimeException("Failed to load public
>> key from file '" + fileName + "'", e);
>>
>>         }
>>
>>         }
>>
>>
>>
>> With Java 8, it is quite simple too
>>
>>                String[]  tokenParts  = accessToken.split("\\.");
>>
>> // detect algo from tokenParts[0] or put "SHA256withRSA” (for “RS256”)
>>
>>                     String jwtSignAlgo = "SHA256withRSA";
>>
>>          String jwtInputString = tokenParts[0] + “.” + tokenParts[1];
>>
>>          String jwtDecodedSign = new
>> String(Base64.getUrlDecoder().decode(tokenParts[2]);
>>
>>          Signature verifier = Signature.getInstance(jwtSignAlgo);
>>
>>          verifier.initVerify(publicKey);
>>
>>          verifier.update(jwtInputString.getBytes("UTF-8"));
>>
>>          boolean signatureVerified = verifier.verify(jwtDecodedSign);
>>
>>
>>
>>
>>
>> gerard
>>
>>
>>
>>
>>
>> *From:* keycloak-user-bounces at lists.jboss.org [mailto:
>> keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Stian Thorgersen
>> *Sent:* vendredi 6 mai 2016 07:33
>> *To:* Aikeaguinea
>> *Cc:* keycloak-user
>> *Subject:* Re: [keycloak-user] Validating JWT tokens
>>
>>
>>
>>
>>
>>
>>
>> On 4 May 2016 at 18:37, Aikeaguinea <aikeaguinea at xsmail.com> wrote:
>>
>> Figured it out, kinda. I have to use the Realm public key, and at least
>> in jwt.io it has to begin with "-----BEGIN PUBLIC KEY-----" and end with
>> "-----END PUBLIC KEY-----" -- these can't be omitted.
>>
>> If I try using the Realm certificate, it won't work, however, whether or
>> not I use "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----".
>>
>> If I use the validator at http://kjur.github.io/jsjws/tool_jwt.html and
>> select "default X509 Certificate (RSA z4) it tells me "Error: malformed
>> X.509 certificate PEM (code:003)"
>>
>> I can use the Realm public key for validating the JWT, but shouldn't the
>> certificate work as well?
>>
>>
>>
>> The certificate is only used by SAML, so no you can't verify the JWT with
>> the certificate only the public key.
>>
>>
>>
>>
>> On Wed, May 4, 2016, at 12:00 PM, Aikeaguinea wrote:
>> > I have a client with a service account and credentials using Signed Jwt.
>> > Authentication works fine. The service uses
>> >
>> org.keycloak.adapters.authentication.ClientCredentialsProviderUtils#setClientCredentials
>> > to create the JWT token and set the headers, and I get back a JWT
>> > containing an access token from Keycloak.
>> >
>> > However, when I use jwt.io to look at the access token, I can't
>> validate
>> > the signature. This is true whether I use the client Certificate (from
>> > the client's Credentials tab), the Realm public key, or the Realm
>> > Certificate. In addition, I have generated the client's public key from
>> > the certificate using
>> >
>> > keytool -exportcert -alias x -keypass y -storepass z -rfc -keystore
>> > client-keystore.jks | openssl x509 -inform pem -pubkey
>> >
>> > on the jks file supplied when I generated the client credentials, and
>> > that doesn't work either.
>> >
>> > We've also been having trouble validating the signature programmatically
>> > using Java.
>> >
>> > Any idea why I might be seeing this?
>> >
>> > --
>> > http://www.fastmail.com - Or how I learned to stop worrying and
>> >                           love email again
>> >
>>
>>
>> --
>>   Aikeaguinea
>>   aikeaguinea at xsmail.com
>>
>> --
>> http://www.fastmail.com - Send your email first class
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160511/ba631767/attachment-0001.html

More information about the keycloak-user mailing list