On 04/05/16 18:00, Aikeaguinea wrote:

I have a client with a service account and credentials using Signed Jwt.
Authentication works fine. The service uses
org.keycloak.adapters.authentication.ClientCredentialsProviderUtils#setClientCredentials
to create the JWT token and set the headers, and I get back a JWT
containing an access token from Keycloak.

However, when I use jwt.io to look at the access token, I can't validate
the signature. This is true whether I use the client Certificate (from
the client's Credentials tab), the Realm public key, or the Realm
Certificate. In addition, I have generated the client's public key from
the certificate using 

keytool -exportcert -alias x -keypass y -storepass z -rfc -keystore
client-keystore.jks | openssl x509 -inform pem -pubkey

on the jks file supplied when I generated the client credentials, and
that doesn't work either.

We've also been having trouble validating the signature programmatically
using Java.

Signature can be verified in Java if you have realm public key. You can use "RSATokenVerifier.verifyToken" . We have a serviceAccount example, which is part of demo and where this is also used : https://github.com/keycloak/keycloak/blob/master/examples/demo-template/service-account/src/main/java/org/keycloak/example/ProductServiceAccountServlet.java#L166

Marek


Any idea why I might be seeing this?