Need help: Configuring keycloak to work with IBM Websphere Application Server
by T, Suseendhiran (Nokia - IN/Bangalore)
Hello All,
I am trying to configure Keycloak as openID connect provider and IBM Websphere Application Server as Relying Party.
During authentication, keycloak sends the JWT. But IBM Websphere Application Server could not verify the token.
Below Exception is thrown:
com.ibm.websphere.security.WebTrustAssociationFailedException: CWTAI2007E: The OpenID Connect replying party (RP) encountered a failure during the login. The exception is [Failed to validate id token, exception thrown during verify [key is invalid]]. Check the logs for details that lead to this exception.
at com.ibm.ws.security.oidc.client.RelyingParty.handleSigninCallback(RelyingParty.java:428)
...<skipping trace>
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881)
Caused by: com.ibm.ws.security.oidc.client.RelyingPartyException: Failed to validate id token, exception thrown during verify [key is invalid]
at com.ibm.ws.security.oidc.client.SessionCache.updateEntryUsingStateId(SessionCache.java:352)
at com.ibm.ws.security.oidc.client.RelyingParty.handleSigninCallback(RelyingParty.java:411)
... 28 more
Caused by: java.lang.IllegalStateException: key is invalid
at net.oauth.jsontoken.crypto.RsaSHA256Verifier.<init>(RsaSHA256Verifier.java:45)
at com.ibm.ws.security.openidconnect.token.JWT.getJsonTokenParser(JWT.java:1017)
at com.ibm.ws.security.openidconnect.token.JWT.verify(JWT.java:881)
at com.ibm.ws.security.openidconnect.token.IDToken.verify(IDToken.java:578)
at com.ibm.ws.security.oidc.client.SessionData.setIdToken(SessionData.java:294)
at com.ibm.ws.security.oidc.client.SessionData.update(SessionData.java:131)
at com.ibm.ws.security.oidc.client.SessionCache.updateEntryUsingStateId(SessionCache.java:343)
... 29 more
Caused by: java.security.InvalidKeyException: No installed provider supports this key: (null)
at java.security.Signature$Delegate.chooseProvider(Signature.java:1139)
at java.security.Signature$Delegate.engineInitVerify(Signature.java:1172)
at java.security.Signature.initVerify(Signature.java:462)
at net.oauth.jsontoken.crypto.RsaSHA256Verifier.<init>(RsaSHA256Verifier.java:41)
... 35 more
. Make sure that the setup is correct and that the user credentials are valid.
[6/7/16 8:58:30:493 IST] 000002bb WebCollaborat A SECJ0056E: Authentication failed for reason CWTAI2007E: The OpenID Connect replying party (RP) encountered a failure during the login. The exception is [Failed to validate id token, exception thrown during verify [key is invalid]]. Check the logs for details that lead to this exception.
-------------------------------------------------------------------------------------------------------------------------------------------
I have attached the Websphere log during authentication, Could someone help me analyse the issue?
Versions used:
Keycloak -1.9.4.Final
IBM WebSphere Application Server Network Deployment - Version 8.5.5.8
Please let me know if any information needed.
Regards,
Suseendhiran T