Re: [keycloak-user] JWT signature verification failure

In the meantime, you could use our impl until I fix it. On 11/11/2014 8:55 PM, Bill Burke wrote: > Looking at jjwt, they do this algorithm: > > sign(base64enocdedheader + "." + bsase64encodedContent) > > We just sign the content. Just verified that our impl is wrong. I'll > fix this for next release. > > On 11/11/2014 7:50 PM, Richard Rattigan wrote: >> I¹m trying to verify keycloak jwt signatures in a Java/Groovy, but I¹m >> not succeeding. I¹m new to crypto, so maybe I¹m doing something stupid. >> >> This is Groovy code. realmPublicKey is the publicKey string from the >> realm REST response. I¹m using the jjwt library to parse the tokens, >>but >> I get the same result (signature verification failure) with the nimbus >> library: >> >> Security.addProvider(new BouncyCastleProvider()) >> def publicKey = KeyFactory >> .getInstance("RSA", "BC") >> .generatePublic(new >> X509EncodedKeySpec(realmPublicKey.decodeBase64())) >> def claims = >>Jwts.parser().setSigningKey(publicKey).parse(accessToken) >> >> I get an exception during the parse: >> >> io.jsonwebtoken.SignatureException: JWT signature does not match >>locally >> computed signature. JWT validity cannot be asserted and should not be >> trusted. >> >> Is anyone able to see what I¹m doing wrong here? >> >> *Richard Rattigan* >> >> Sonos | Sr. Software Engineer | Skype: Richard.RattiganSonos >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user