<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 4 May 2016 at 18:37, Aikeaguinea <span dir="ltr"><<a href="mailto:aikeaguinea@xsmail.com" target="_blank">aikeaguinea@xsmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Figured it out, kinda. I have to use the Realm public key, and at least<br>
in <a href="http://jwt.io" rel="noreferrer" target="_blank">jwt.io</a> it has to begin with "-----BEGIN PUBLIC KEY-----" and end with<br>
"-----END PUBLIC KEY-----" -- these can't be omitted.<br>
<br>
If I try using the Realm certificate, it won't work, however, whether or<br>
not I use "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----".<br>
<br>
If I use the validator at <a href="http://kjur.github.io/jsjws/tool_jwt.html" rel="noreferrer" target="_blank">http://kjur.github.io/jsjws/tool_jwt.html</a> and<br>
select "default X509 Certificate (RSA z4) it tells me "Error: malformed<br>
X.509 certificate PEM (code:003)"<br>
<br>
I can use the Realm public key for validating the JWT, but shouldn't the<br>
certificate work as well?<br></blockquote><div><br></div><div>The certificate is only used by SAML, so no you can't verify the JWT with the certificate only the public key.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class="im HOEnZb"><br>
On Wed, May 4, 2016, at 12:00 PM, Aikeaguinea wrote:<br>
> I have a client with a service account and credentials using Signed Jwt.<br>
> Authentication works fine. The service uses<br>
> org.keycloak.adapters.authentication.ClientCredentialsProviderUtils#setClientCredentials<br>
> to create the JWT token and set the headers, and I get back a JWT<br>
> containing an access token from Keycloak.<br>
><br>
> However, when I use <a href="http://jwt.io" rel="noreferrer" target="_blank">jwt.io</a> to look at the access token, I can't validate<br>
> the signature. This is true whether I use the client Certificate (from<br>
> the client's Credentials tab), the Realm public key, or the Realm<br>
> Certificate. In addition, I have generated the client's public key from<br>
> the certificate using<br>
><br>
> keytool -exportcert -alias x -keypass y -storepass z -rfc -keystore<br>
> client-keystore.jks | openssl x509 -inform pem -pubkey<br>
><br>
> on the jks file supplied when I generated the client credentials, and<br>
> that doesn't work either.<br>
><br>
> We've also been having trouble validating the signature programmatically<br>
> using Java.<br>
><br>
> Any idea why I might be seeing this?<br>
><br>
> --<br>
> <a href="http://www.fastmail.com" rel="noreferrer" target="_blank">http://www.fastmail.com</a> - Or how I learned to stop worrying and<br>
> love email again<br>
><br>
<br>
<br>
</span><span class="HOEnZb"><font color="#888888">--<br>
Aikeaguinea<br>
<a href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a><br>
<br>
--<br>
<a href="http://www.fastmail.com" rel="noreferrer" target="_blank">http://www.fastmail.com</a> - Send your email first class<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</div></div></blockquote></div><br></div></div>