Re: [keycloak-user] Validating JWT tokens

+1 for not trusting the algorithm in the JWT header to avoid these attacks: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-to... Should do more than just signature validation though to be secure: · Expiration check · Audience check · Subject check This is a pretty good overview of the mechanics: http://www.cloudidentity.com/blog/2014/03/03/principles-of-token-validation/ -Jason From: <keycloak-user-bounces(a)lists.jboss.org&gt; on behalf of Stian Thorgersen <sthorger(a)redhat.com&gt; Reply-To: &quot;stian(a)redhat.com&quot; <stian(a)redhat.com&gt; Date: Wednesday, May 18, 2016 at 10:01 PM To: Josh Cain <josh.cain(a)redhat.com&gt; Cc: Aikeaguinea <aikeaguinea(a)xsmail.com&gt;, &quot;keycloak-user(a)lists.jboss.org&quot; <keycloak-user(a)lists.jboss.org&gt; Subject: Re: [keycloak-user] Validating JWT tokens You can also use https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/k... On 11 May 2016 at 15:50, Josh Cain <josh.cain@redhat.com<mailto:josh.cain@redhat.com>> wrote: I recently put together a quick test for this as well using jjwt: https://github.com/cainj13/jwtExamples/blob/master/src/test/java/jcain/ex... Pretty similar to the gist that Thomas mentioned above. Josh Cain | Software Applications Engineer Identity and Access Management Red Hat +1 843-737-1735<tel:%2B1%20843-737-1735> On Wed, May 11, 2016 at 4:09 AM, Thomas Darimont <thomas.darimont@googlemail.com<mailto:thomas.darimont@googlemail.com>> wrote: Hello, another example for (Parsing) & Validating a Keycloak JWT was posted on the ML a few months ago: http://lists.jboss.org/pipermail/keycloak-user/2016-March/005325.html In the example the token is only successfully parsed when the token is valid. Cheers, Thomas 2016-05-11 10:45 GMT+02:00 Gerard Laissard <glaissard@axway.com<mailto:glaissard@axway.com>>: My 2 cents: There is an openSSL example to verify a jwt: https://gist.github.com/rolandyoung/176dd310a6948e094be6 By using jose4j // be sure you do not have any EOL at the end of the token String accesToken = …; accesToken = accesToken.replaceAll("\r\n", ""); accesToken = accesToken.replaceAll("\n", ""); JsonWebSignature jws = new JsonWebSignature(); jws.setCompactSerialization(accesToken); jws.setKey(publicKey); boolean signatureVerified = jws.verifySignature(); To get a PublicKey : if you put the content of the realm public you get from keycloak admin public PublicKey getPublicKey(String fileName) { File f = new File(fileName); try (FileInputStream fis = new FileInputStream(f); DataInputStream dis = new DataInputStream(fis);) { byte[] keyBytes = new byte[(int) f.length()]; dis.readFully(keyBytes); dis.close(); // convert to der format String pem = new String(keyBytes); pem = pem.replaceAll("-----BEGIN (.*)-----", ""); pem = pem.replaceAll("-----END (.*)----", ""); pem = pem.replaceAll("\r\n", ""); pem = pem.replaceAll("\n", ""); byte[] der = Base64.getDecoder().decode(pem); // java 8 X509EncodedKeySpec spec = new X509EncodedKeySpec(der); KeyFactory kf = KeyFactory.getInstance(RSA); return kf.generatePublic(spec); } catch (IOException | InvalidKeySpecException | NoSuchAlgorithmException e) { throw new RuntimeException("Failed to load public key from file '" + fileName + "'", e); } } With Java 8, it is quite simple too String[] tokenParts = accessToken.split("\\."); // detect algo from tokenParts[0] or put "SHA256withRSA” (for “RS256”) String jwtSignAlgo = "SHA256withRSA"; String jwtInputString = tokenParts[0] + “.” + tokenParts[1]; String jwtDecodedSign = new String(Base64.getUrlDecoder().decode(tokenParts[2]); Signature verifier = Signature.getInstance(jwtSignAlgo); verifier.initVerify(publicKey); verifier.update(jwtInputString.getBytes("UTF-8")); boolean signatureVerified = verifier.verify(jwtDecodedSign); gerard From: keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org> [mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>] On Behalf Of Stian Thorgersen Sent: vendredi 6 mai 2016 07:33 To: Aikeaguinea Cc: keycloak-user Subject: Re: [keycloak-user] Validating JWT tokens On 4 May 2016 at 18:37, Aikeaguinea <aikeaguinea@xsmail.com<mailto:aikeaguinea@xsmail.com>> wrote: Figured it out, kinda. I have to use the Realm public key, and at least in jwt.io<http://jwt.io> it has to begin with "-----BEGIN PUBLIC KEY-----" and end with "-----END PUBLIC KEY-----" -- these can't be omitted. If I try using the Realm certificate, it won't work, however, whether or not I use "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----". If I use the validator at http://kjur.github.io/jsjws/tool_jwt.html and select "default X509 Certificate (RSA z4) it tells me "Error: malformed X.509 certificate PEM (code:003)" I can use the Realm public key for validating the JWT, but shouldn't the certificate work as well? The certificate is only used by SAML, so no you can't verify the JWT with the certificate only the public key. On Wed, May 4, 2016, at 12:00 PM, Aikeaguinea wrote: -- Aikeaguinea aikeaguinea@xsmail.com<mailto:aikeaguinea@xsmail.com> -- http://www.fastmail.com - Send your email first class _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user