Re: [keycloak-user] Validating JWT tokens

My 2 cents: There is an openSSL example to verify a jwt: https://gist.github.com/rolandyoung/176dd310a6948e094be6 By using jose4j // be sure you do not have any EOL at the end of the token String accesToken = …; accesToken = accesToken.replaceAll("\r\n", ""); accesToken = accesToken.replaceAll("\n", ""); JsonWebSignature jws = *new* JsonWebSignature(); jws.setCompactSerialization(accesToken); jws.setKey(publicKey); boolean signatureVerified = jws.verifySignature(); To get a PublicKey : if you put the content of the realm public you get from keycloak admin *public* PublicKey getPublicKey(String fileName) { File f = *new* File(fileName); *try* (FileInputStream fis = *new* FileInputStream(f); DataInputStream dis = *new* DataInputStream(fis);) { *byte*[] keyBytes = *new* *byte*[(*int*) f.length()]; dis.readFully(keyBytes); dis.close(); // convert to der format String pem = new String(keyBytes); pem = pem.replaceAll("-----BEGIN (.*)-----", ""); pem = pem.replaceAll("-----END (.*)----", ""); pem = pem.replaceAll("\r\n", ""); pem = pem.replaceAll("\n", ""); byte[] der = Base64.getDecoder().decode(pem); // java 8 X509EncodedKeySpec spec = *new* X509EncodedKeySpec(der); KeyFactory kf = KeyFactory.*getInstance*(*RSA*); *return* kf.generatePublic(spec); } *catch* (IOException | InvalidKeySpecException | NoSuchAlgorithmException e) { *throw* *new* RuntimeException("Failed to load public key from file '" + fileName + "'", e); } } With Java 8, it is quite simple too String[] tokenParts = accessToken.split("\\."); // detect algo from tokenParts[0] or put "SHA256withRSA” (for “RS256”) String jwtSignAlgo = "SHA256withRSA"; String jwtInputString = tokenParts[0] + “.” + tokenParts[1]; String jwtDecodedSign = new String(Base64.getUrlDecoder().decode(tokenParts[2]); Signature verifier = Signature.getInstance(jwtSignAlgo); verifier.initVerify(publicKey); verifier.update(jwtInputString.getBytes("UTF-8")); boolean signatureVerified = verifier.verify(jwtDecodedSign); gerard *From:* keycloak-user-bounces(a)lists.jboss.org [mailto: keycloak-user-bounces(a)lists.jboss.org] *On Behalf Of *Stian Thorgersen *Sent:* vendredi 6 mai 2016 07:33 *To:* Aikeaguinea *Cc:* keycloak-user *Subject:* Re: [keycloak-user] Validating JWT tokens On 4 May 2016 at 18:37, Aikeaguinea <aikeaguinea(a)xsmail.com&gt; wrote: Figured it out, kinda. I have to use the Realm public key, and at least in jwt.io it has to begin with "-----BEGIN PUBLIC KEY-----" and end with "-----END PUBLIC KEY-----" -- these can't be omitted. If I try using the Realm certificate, it won't work, however, whether or not I use "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----". If I use the validator at http://kjur.github.io/jsjws/tool_jwt.html and select "default X509 Certificate (RSA z4) it tells me "Error: malformed X.509 certificate PEM (code:003)" I can use the Realm public key for validating the JWT, but shouldn't the certificate work as well? The certificate is only used by SAML, so no you can't verify the JWT with the certificate only the public key. On Wed, May 4, 2016, at 12:00 PM, Aikeaguinea wrote: > I have a client with a service account and credentials using Signed Jwt. > Authentication works fine. The service uses > org.keycloak.adapters.authentication.ClientCredentialsProviderUtils#setClientCredentials > to create the JWT token and set the headers, and I get back a JWT > containing an access token from Keycloak. > > However, when I use jwt.io to look at the access token, I can't validate > the signature. This is true whether I use the client Certificate (from > the client's Credentials tab), the Realm public key, or the Realm > Certificate. In addition, I have generated the client's public key from > the certificate using > > keytool -exportcert -alias x -keypass y -storepass z -rfc -keystore > client-keystore.jks | openssl x509 -inform pem -pubkey > > on the jks file supplied when I generated the client credentials, and > that doesn't work either. > > We've also been having trouble validating the signature programmatically > using Java. > > Any idea why I might be seeing this? > > -- > http://www.fastmail.com - Or how I learned to stop worrying and > love email again > -- Aikeaguinea aikeaguinea(a)xsmail.com -- http://www.fastmail.com - Send your email first class _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user