I'm trying to verify keycloak jwt signatures in a Java/Groovy, but I'm not
succeeding. I'm new to crypto, so maybe I'm doing something stupid.
This is Groovy code. realmPublicKey is the publicKey string from the realm REST response.
I'm using the jjwt library to parse the tokens, but I get the same result (signature
verification failure) with the nimbus library:
Security.addProvider(new BouncyCastleProvider())
def publicKey = KeyFactory
.getInstance("RSA", "BC")
.generatePublic(new X509EncodedKeySpec(realmPublicKey.decodeBase64()))
def claims = Jwts.parser().setSigningKey(publicKey).parse(accessToken)
I get an exception during the parse:
io.jsonwebtoken.SignatureException: JWT signature does not match locally computed
signature. JWT validity cannot be asserted and should not be trusted.
Is anyone able to see what I'm doing wrong here?
Richard Rattigan
Sonos | Sr. Software Engineer | Skype: Richard.RattiganSonos