[keycloak-user] k_query_bearer_token, is there a way to query the associated public key?

Stian Thorgersen sthorger at redhat.com
Fri Feb 3 03:51:18 EST 2017 

jwt.io is a bit odd, but it does work. To get it to work do the following:

* Select RS256 for the algorithm - they could detect this from the token,
but they don't
* In the "verify signature" box paste the realm public key pem in-between
the lines "-----BEGIN PUBLIC KEY-----" and "-----END PUBLIC KEY-----" (you
need to keep the header/footer otherwise jwt.io doesn't decrypt the key
correctly)
* Paste the token

Now it should work.

On 1 February 2017 at 22:15, Scott Stark <sstark at redhat.com> wrote:

> I was able to verify the token using the com.auth0 JWT library, so there
> must be something amiss with the web interface to the debugger. FYI, this
> is the little program I put together to do the verification:
>
> import java.security.KeyFactory;
> import java.security.interfaces.RSAKey;
> import java.security.spec.X509EncodedKeySpec;
> import java.util.Base64;
>
> import com.auth0.jwt.JWT;
> import com.auth0.jwt.JWTVerifier;
> import com.auth0.jwt.algorithms.Algorithm;
> import com.auth0.jwt.interfaces.Claim;
>
> public class VerifyJWT {
>     public static void main(String[] args) throws Exception {
>         String token = "eyJhbGciOiJSUzI1NiIsInR5cCIgOi
> AiSldUIiwia2lkIiA6ICJGeFZlX1pUTHBoU0JrMGZMSDBmaDltUWY1OWkzNn
> VXOFBDeFFvWkE4eHdvIn0.eyJqdGkiOiJlYzI2NDhhYS1jNTdmLT
> RhZGEtYTZlMi03ZjU4ZTBmOTIyZjQiLCJleHAiOjE0ODU5ODM2NDMsIm5iZi
> I6MCwiaWF0IjoxNDg1OTgzMzQzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0Oj
> gxODAvYXV0aC9yZWFsbXMvTWljcm9wcm9maWxlIiwiYXVkIjoidmFuaWxsYS
> IsInN1YiI6IjhjM2Y1ZTRiLWZiM2EtNDZiYS04ODk5LTQyNTNkNzQzMGI4Zi
> IsInR5cCI6IkJlYXJlciIsImF6cCI6InZhbmlsbGEiLCJhdXRoX3RpbWUiOj
> E0ODU5ODE4NDAsInNlc3Npb25fc3RhdGUiOiJkZDg5MjU4Yy1iMjRmLTQ0ZW
> UtYWJhZS00NWJmZjNhMTI4NmIiLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb2
> 4iOiI5ZDA2ZmY2NS1kMWIwLTQ2ZWYtYjJlYi05NmVmY2Y3ZjJjZGQiLCJhbG
> xvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MDgwIl0sInJlYW
> xtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicm
> Vzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLW
> FjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiTWljcm9wcm9maW
> xlIERlbW8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkZW1vIiwiZ2l2ZW5fbm
> FtZSI6Ik1pY3JvcHJvZmlsZSIsImZhbWlseV9uYW1lI!
>  joiRGVtbyIsImVtYWlsIjoibXBkZW1vQHN0YXJraW50ZXJuYXRpb25hbC5jb20ifQ.
> YsoInnbkrPRyvauYsf5P5BePuPFFCyWBKz3TfP9FyeArp2bYyOzDusTEPCqh
> Sx3-yYGsPxlVmsdu7LNonLs-rCXPki3uP3WAiSiyla4NXcBwly2kzM4EyO_
> J8CO9d4SqGEY8HDwTIga5E55KEOoYqOkGtj2pirIo8tlPa4SW2vwttvxix2z
> MOeyD50vZDAD3laVBzGsc07GMdFKvj4B0ZfUBM-l-92HB1xMWNNc1d-
> xbrLq8rKXyYeobU4bC4_WxHJOlOco-Z_60lD0z9vtmpaCpyOkq26V4Ygunhzd-
> 36ofKdiYBjNURaB3SNc4l5OFZLCM12nkM_bb3_kO538Zyw";
>         JWT jwt = JWT.decode(token);
>         Claim alg = jwt.getHeaderClaim("alg");
>         System.out.printf("alg: %s\n", alg.asString());
>         Claim type = jwt.getHeaderClaim("typ");
>         System.out.printf("typ: %s\n", type.asString());
>         Claim kid = jwt.getHeaderClaim("kid");
>         System.out.printf("kid: %s\n", kid.asString());
>
>         String key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ
> 8AMIIBCgKCAQEAhir7PLNN6PafmxEN89tXD+vJGU+Io2QcnyAxw6MzGSYD1Rla3fzIVRBlh
> bq3rYd8SWcPPZ2i/SAyfnzt3d9KPef+Vp8v3GfuVn2NoutPsxJA/1do+vcW/
> lT5EDtbl9GQovMvFHE4JbgStdaRLD/4/w90zjbmEU4/J5beiqMAYioJQ5suE7P4N5OulZobPG
> I0hibQ9lWM03gWocCnP1RtXWfzliQ0F2LqrBJS6GckcRwln/q0sacgK1ZC/
> XLIty7w88bxV7PXKfgsqROId/1Fl6kJBl6AjdQkJtSQxo+
> UOW4AJvABg6qvcC0bg1JkzDY0OPEMAm+AhUvdYzxrklvCJwIDAQAB";
>         byte[] byteKey = Base64.getDecoder().decode(key.getBytes());
>         X509EncodedKeySpec X509publicKey = new X509EncodedKeySpec(byteKey);
>         KeyFactory kf = KeyFactory.getInstance("RSA");
>
>         RSAKey publicKey = (RSAKey) kf.generatePublic(X509publicKey);
>         JWTVerifier verifier = JWT.require(Algorithm.RSA256(publicKey))
>             .withIssuer("http://localhost:8180/auth/realms/Microprofile")
>             .build();
>         verifier.verify(token);
>     }
>
> }
>
>
> ----- Original Message -----
> From: "Scott Stark" <sstark at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, February 1, 2017 12:42:47 PM
> Subject: Re: [keycloak-user] k_query_bearer_token, is there a way to query
> the associated public key?
>
> I was able to find the public key from the Realm Settings/Keys section of
> the admin console, but I'm not able to get the signature to verify on the
> https://jwt.io debugger.
>
> For example, this token and public key won't work to verify the signature:
>
> eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJGeFZlX1pU
> THBoU0JrMGZMSDBmaDltUWY1OWkzNnVXOFBDeFFvWkE4eHdvIn0.
> eyJqdGkiOiIwYTJlNDljNy05ZTA1LTQ3MmUtOGQ5OS02ZGYwOGYxYmY5MzYi
> LCJleHAiOjE0ODU5ODAwMTMsIm5iZiI6MCwiaWF0IjoxNDg1OTc5NzEzLCJp
> c3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvTWljcm9w
> cm9maWxlIiwiYXVkIjoidmFuaWxsYSIsInN1YiI6IjhjM2Y1ZTRiLWZiM2Et
> NDZiYS04ODk5LTQyNTNkNzQzMGI4ZiIsInR5cCI6IkJlYXJlciIsImF6cCI6
> InZhbmlsbGEiLCJhdXRoX3RpbWUiOjE0ODU5NzY5ODgsInNlc3Npb25fc3Rh
> dGUiOiJlYmQxMDgyZi02MWI3LTRlNzEtYTBkNi1iZTc1MzA3ODYzNjMiLCJh
> Y3IiOiIwIiwiY2xpZW50X3Nlc3Npb24iOiI1NDhhZTVjNi1mZTU4LTQwZGQt
> OWY0Yy03NmE4N2EwMjcwYzciLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDov
> L2xvY2FsaG9zdDo4MDgwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1
> bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291
> bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUi
> XX19LCJuYW1lIjoiTWljcm9wcm9maWxlIERlbW8iLCJwcmVmZXJyZWRfdXNl
> cm5hbWUiOiJkZW1vIiwiZ2l2ZW5fbmFtZSI6Ik1pY3JvcHJvZmlsZSIsImZh
> bWlseV9uYW1lIjoiRGVtbyIsImVtYWlsIjoib!
>  XBkZW1vQHN0YXJraW50ZXJuYXRpb25hbC5jb20ifQ.TAgwCENsVF9bug3TbvjB-KD_
> kT3AfLDduK_vQ-1Gp5ejeDLRVcppktXpIWe1jhJTKmqXIwL48S636BYrP35iNmlJLGIxm706o-
> BU6SO8IJND_OJdfbCdkUrekcGTS8k5B2D_idQnnl-DcwKJs0Mqv8q_
> XD2XqCTAu1nTKsrTlFn6QoZ0_-Q_bRsmZ_Rgob5Gf4Vw93I5OnS5zRUV_qi-
> VEDTEtAO3YlfWdTJXYXYeSGVXTjExw6TikYlcQETolfr-sxhfcPEH5KWQnUw_
> 40hb12Zzxp3DdnJuQ34NKe5vgPNW1Q3geT7YLGYcY1pJFmvLEKxDC5WxRNMp_PFYLYxTA
>
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhir7PLNN6PafmxEN89tXD+vJGU+
> Io2QcnyAxw6MzGSYD1Rla3fzIVRBlhbq3rYd8SWcPPZ2i/SAyfnzt3d9KPef+
> Vp8v3GfuVn2NoutPsxJA/1do+vcW/lT5EDtbl9GQovMvFHE4JbgStdaRLD/4/w90zjbmEU4/
> J5beiqMAYioJQ5suE7P4N5OulZobPGI0hibQ9lWM03gWocCnP1RtXWfzliQ0
> F2LqrBJS6GckcRwln/q0sacgK1ZC/XLIty7w88bxV7PXKfgsqROId/
> 1Fl6kJBl6AjdQkJtSQxo+UOW4AJvABg6qvcC0bg1JkzDY0OPEMAm+AhUvdYzxrklvCJwIDAQAB
>
> ----- Original Message -----
> From: "Scott Stark" <sstark at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, February 1, 2017 11:50:34 AM
> Subject: [keycloak-user] k_query_bearer_token, is there a way to query the
> associated public key?
>
> So I can query the current access token via the myapp-root/k_query_bearer_token
> when expose-token is set to true, but is there a way to query the public
> key associated with the signature portion of the token?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list