[keycloak-user] Hitting error -- "Didn't find publicKey for specified kid"
Sebastien Blanc
sblanc at redhat.com
Tue Jul 25 09:54:04 EDT 2017
Okay, to have the complete picture could paste the command you issue to
call your REST service ?
On Tue, Jul 25, 2017 at 3:50 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com>
wrote:
> Sebastien,
>
> Here is a token response -
>
> {
> "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOi
> AiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeX
> VUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLT
> Q4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZi
> I6MCwiaWF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS
> 4xMDA6MzAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZW
> IiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOT
> giLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbW
> UiOjAsInNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS
> 0wODlhMjEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5Mj
> FjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW
> 9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYW
> xtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZX
> IiXX0sInJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7In
> JvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycy
> IsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIi
> wicmVhbG0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIi
> widmlldy1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS
> 1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW
> 50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX
> 0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2
> UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLC
> JwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cm
> lsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WEcBA3NUL
> -mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM6zLk7
> cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_
> Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzUg9JY2Dkvg_
> tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVofsxH_
> uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw",
> "expires_in": 300,
> "refresh_expires_in": 1800,
> "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOi
> AiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeX
> VUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLT
> QwY2ItYTE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZi
> I6MCwiaWF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS
> 4xMDA6MzAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZW
> IiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOT
> giLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW
> 1lIjowLCJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MT
> ktMDg5YTIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZT
> kyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm
> 9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV
> 9hY2Nlc3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LX
> JlYWxtIiwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbn
> RpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIi
> wiY3JlYXRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaX
> phdGlvbiIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LW
> V2ZW50cyIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYX
> V0aG9yaXphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7In
> JvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3
> MiLCJ2aWV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKIhIF6
> Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46-EXGJQkqH4NNqZ1W_
> 1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvaiucFCa8H599Ox6QRE
> 3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHRdCv_
> rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqnAdGgDnL5jCCRLTVF
> nPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sampLww",
> "token_type": "bearer",
> "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOi
> AiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeX
> VUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LT
> RhNTgtOTJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZi
> I6MCwiaWF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS
> 4xMDA6MzAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZW
> IiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOT
> giLCJ0eXAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MC
> wic2Vzc2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OW
> EyMTM5NmU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZX
> JuYW1lIjoic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tIn0.
> eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_
> XOXUmHAuihxXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVBn_
> kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6bG8cyJHQ4_
> FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYOp4lJpU5JqeaVm
> Yp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st-
> Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg",
> "not-before-policy": 0,
> "session_state": "3231f46f-229b-42d3-a419-089a21396e67"
> }
>
>
> I checked it in jwt.io . The kid is same as the "rsa-generated" one,
> shown in the screen shot I shared yesterday. Although jwt complained as
> "Invalid Signature" .
>
>
> Thomas, the connectivity should not be an issue as I am able to get the
> access token from my app wildfly server using curl. So keycloak is
> reachable from my wildfly server. Anything specific you did to resolve your
> issue ?
>
> Regards,
> Rajesh
>
> On Tue, Jul 25, 2017 at 11:12 AM, Sebastien Blanc <sblanc at redhat.com>
> wrote:
>
>> This looks all correct. Could you try paste your access token or even
>> check it your self on jwt.io to see if the kid is present ?
>>
>>
>> On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com>
>> wrote:
>>
>>> Sebastien,
>>>
>>> I am attaching a pdf containing the screen shots. Few more points I
>>> wanted to mention.
>>>
>>> i) I didn't install the public client -- "bkofc-web" in the wildfly
>>> container which hosts my REST services. I did it for "bkofc-svc" client
>>> which is bearer only. I hope that is the correct approach.
>>> ii) Both keycloak and my application are running on docker containers
>>> locally in my laptop.
>>>
>>> Let me know if you need anything else to analyze.
>>>
>>> Thanks,
>>> Rajesh
>>>
>>>
>>> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien Blanc <sblanc at redhat.com>
>>> wrote:
>>>
>>>> yes please
>>>>
>>>> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com>
>>>> wrote:
>>>>
>>>>> Yes definitely. I did replace it with the actual war name. Let me know
>>>>> if you would like me to paste screen shots of realm configurations, client
>>>>> configurations.
>>>>>
>>>>> Thanks,
>>>>> Rajesh
>>>>>
>>>>> On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc <sblanc at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Ok and for :
>>>>>> <secure-deployment name="my war file.war">
>>>>>>
>>>>>> Did you replace that with the actual name of your war file ?
>>>>>>
>>>>>> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com
>>>>>> > wrote:
>>>>>>
>>>>>>> Hello Sebastien,
>>>>>>>
>>>>>>> I am using 3.1.0.Final build.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Rajesh
>>>>>>>
>>>>>>> On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc <sblanc at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Which version of Keycloak are you using ?
>>>>>>>>
>>>>>>>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh <
>>>>>>>> ghosh.rajesh at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I am trying to secure my REST services using the method described
>>>>>>>>> in the
>>>>>>>>> document --
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>>>>>>>> ak-securing.html
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I am securing my war using JBoss subsystem , instead of per-war
>>>>>>>>> option. The
>>>>>>>>> relevant sections from my standalone.xml are posted below.
>>>>>>>>>
>>>>>>>>> <extensions>
>>>>>>>>> ......
>>>>>>>>> <extension module="org.keycloak.keycloak-
>>>>>>>>> adapter-subsystem"/>
>>>>>>>>> </extensions>
>>>>>>>>>
>>>>>>>>> <security-domains>
>>>>>>>>> .....
>>>>>>>>> <security-domain name="keycloak">
>>>>>>>>> <authentication>
>>>>>>>>> <login-module
>>>>>>>>> code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>>>>> flag="required"/>
>>>>>>>>> </authentication>
>>>>>>>>> </security-domain>
>>>>>>>>> </security-domains>
>>>>>>>>>
>>>>>>>>> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>>>>>>>>> <secure-deployment name="my war file.war">
>>>>>>>>> <realm>bkofc</realm>
>>>>>>>>> <resource>bkofc-svc</resource>
>>>>>>>>>
>>>>>>>>> <use-resource-role-mappings>true</use-resource-role-mappings>
>>>>>>>>> <bearer-only>true</bearer-only>
>>>>>>>>> <auth-server-url>http://192.168.99.100/30001/auth
>>>>>>>>> </auth-server-url>
>>>>>>>>> <ssl-required>none</ssl-required>
>>>>>>>>> <credential
>>>>>>>>> name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential>
>>>>>>>>> </secure-deployment>
>>>>>>>>> </subsystem>
>>>>>>>>>
>>>>>>>>> I am able to obtain the access token.
>>>>>>>>>
>>>>>>>>> curl -i curl --data
>>>>>>>>> "grant_type=password&client_id=bkofc-web&username=user&passw
>>>>>>>>> ord=password"
>>>>>>>>> http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>>>>>>>>> d-connect/token
>>>>>>>>>
>>>>>>>>> Note:- I have created 2 clients -- i) bkofc-svc which is bearer
>>>>>>>>> only, for
>>>>>>>>> my REST services ii) bkofc-web , a public client to simulate UI
>>>>>>>>> login
>>>>>>>>>
>>>>>>>>> However when I try to use the access token to invoke a service, I
>>>>>>>>> am
>>>>>>>>> getting the error -
>>>>>>>>>
>>>>>>>>> Status: 401
>>>>>>>>>
>>>>>>>>> WWW-Authenticate Bearer realm="bkofc", error="invalid_token",
>>>>>>>>> error_description="Didn't find publicKey for specified kid"
>>>>>>>>>
>>>>>>>>> Please let me know if I am missing something here. I have been
>>>>>>>>> breaking my
>>>>>>>>> head last few days without any luck ! I have also tried rotating
>>>>>>>>> the realm
>>>>>>>>> keys.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Rajesh
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
More information about the keycloak-user
mailing list