Re: [keycloak-user] Validating JWT tokens

I recently put together a quick test for this as well using jjwt: https://github.com/cainj13/jwtExamples/blob/master/src/test/java/jcain/ex... Pretty similar to the gist that Thomas mentioned above. Josh Cain | Software Applications Engineer *Identity and Access Management* *Red Hat* +1 843-737-1735 On Wed, May 11, 2016 at 4:09 AM, Thomas Darimont < thomas.darimont(a)googlemail.com&gt; wrote: > Hello, > > another example for (Parsing) & Validating a Keycloak JWT was posted on > the ML a few months ago: > http://lists.jboss.org/pipermail/keycloak-user/2016-March/005325.html > > In the example the token is only successfully parsed when the token is > valid. > > Cheers, > Thomas > > 2016-05-11 10:45 GMT+02:00 Gerard Laissard <glaissard(a)axway.com&gt;: > >> >> >> My 2 cents: >> >> There is an openSSL example to verify a jwt: >> >> https://gist.github.com/rolandyoung/176dd310a6948e094be6 >> >> >> >> By using jose4j >> >> // be sure you do not have any EOL at the end of the token >> >> String accesToken = …; >> >> accesToken = accesToken.replaceAll("\r\n", ""); >> >> accesToken = accesToken.replaceAll("\n", ""); >> >> >> >> JsonWebSignature jws = *new* JsonWebSignature(); >> >> jws.setCompactSerialization(accesToken); >> >> jws.setKey(publicKey); >> >> boolean signatureVerified = jws.verifySignature(); >> >> To get a PublicKey : if you put the content of the realm public you get >> from keycloak admin >> >> *public* PublicKey getPublicKey(String fileName) { >> >> File f = *new* File(fileName); >> >> *try* (FileInputStream fis = *new* FileInputStream(f); >> >> DataInputStream dis = *new* DataInputStream(fis);) { >> >> *byte*[] keyBytes = *new* *byte*[(*int*) f.length()]; >> >> dis.readFully(keyBytes); >> >> dis.close(); >> >> // convert to der format >> >> String pem = new String(keyBytes); >> >> pem = pem.replaceAll("-----BEGIN (.*)-----", ""); >> >> pem = pem.replaceAll("-----END (.*)----", ""); >> >> pem = pem.replaceAll("\r\n", ""); >> >> pem = pem.replaceAll("\n", ""); >> >> byte[] der = Base64.getDecoder().decode(pem); // java 8 >> >> X509EncodedKeySpec spec = *new* X509EncodedKeySpec(der); >> >> KeyFactory kf = KeyFactory.*getInstance*(*RSA*); >> >> *return* kf.generatePublic(spec); >> >> >> >> } *catch* (IOException | InvalidKeySpecException | >> NoSuchAlgorithmException e) { >> >> *throw* *new* RuntimeException("Failed to load public >> key from file '" + fileName + "'", e); >> >> } >> >> } >> >> >> >> With Java 8, it is quite simple too >> >> String[] tokenParts = accessToken.split("\\."); >> >> // detect algo from tokenParts[0] or put "SHA256withRSA” (for “RS256”) >> >> String jwtSignAlgo = "SHA256withRSA"; >> >> String jwtInputString = tokenParts[0] + “.” + tokenParts[1]; >> >> String jwtDecodedSign = new >> String(Base64.getUrlDecoder().decode(tokenParts[2]); >> >> Signature verifier = Signature.getInstance(jwtSignAlgo); >> >> verifier.initVerify(publicKey); >> >> verifier.update(jwtInputString.getBytes("UTF-8")); >> >> boolean signatureVerified = verifier.verify(jwtDecodedSign); >> >> >> >> >> >> gerard >> >> >> >> >> >> *From:* keycloak-user-bounces(a)lists.jboss.org [mailto: >> keycloak-user-bounces(a)lists.jboss.org] *On Behalf Of *Stian Thorgersen >> *Sent:* vendredi 6 mai 2016 07:33 >> *To:* Aikeaguinea >> *Cc:* keycloak-user >> *Subject:* Re: [keycloak-user] Validating JWT tokens >> >> >> >> >> >> >> >> On 4 May 2016 at 18:37, Aikeaguinea <aikeaguinea(a)xsmail.com&gt; wrote: >> >> Figured it out, kinda. I have to use the Realm public key, and at least >> in jwt.io it has to begin with "-----BEGIN PUBLIC KEY-----" and end with >> "-----END PUBLIC KEY-----" -- these can't be omitted. >> >> If I try using the Realm certificate, it won't work, however, whether or >> not I use "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----". >> >> If I use the validator at http://kjur.github.io/jsjws/tool_jwt.html and >> select "default X509 Certificate (RSA z4) it tells me "Error: malformed >> X.509 certificate PEM (code:003)" >> >> I can use the Realm public key for validating the JWT, but shouldn't the >> certificate work as well? >> >> >> >> The certificate is only used by SAML, so no you can't verify the JWT >> with the certificate only the public key. >> >> >> >> >> On Wed, May 4, 2016, at 12:00 PM, Aikeaguinea wrote: >> > I have a client with a service account and credentials using Signed >> Jwt. >> > Authentication works fine. The service uses >> > >> org.keycloak.adapters.authentication.ClientCredentialsProviderUtils#setClientCredentials >> > to create the JWT token and set the headers, and I get back a JWT >> > containing an access token from Keycloak. >> > >> > However, when I use jwt.io to look at the access token, I can't >> validate >> > the signature. This is true whether I use the client Certificate (from >> > the client's Credentials tab), the Realm public key, or the Realm >> > Certificate. In addition, I have generated the client's public key from >> > the certificate using >> > >> > keytool -exportcert -alias x -keypass y -storepass z -rfc -keystore >> > client-keystore.jks | openssl x509 -inform pem -pubkey >> > >> > on the jks file supplied when I generated the client credentials, and >> > that doesn't work either. >> > >> > We've also been having trouble validating the signature >> programmatically >> > using Java. >> > >> > Any idea why I might be seeing this? >> > >> > -- >> > http://www.fastmail.com - Or how I learned to stop worrying and >> > love email again >> > >> >> >> -- >> Aikeaguinea >> aikeaguinea(a)xsmail.com >> >> -- >> http://www.fastmail.com - Send your email first class >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user