I’m trying to verify keycloak jwt signatures in a Java/Groovy, but I’m not succeeding. I’m new to crypto, so maybe I’m doing something stupid.

This is Groovy code. realmPublicKey is the publicKey string from the realm REST response. I’m using the jjwt library to parse the tokens, but I get the same result (signature verification failure) with the nimbus library:

Security.addProvider(new BouncyCastleProvider())

def publicKey = KeyFactory

.getInstance("RSA", "BC")

.generatePublic(new X509EncodedKeySpec(realmPublicKey.decodeBase64()))

def claims = Jwts.parser().setSigningKey(publicKey).parse(accessToken)

I get an exception during the parse:

io.jsonwebtoken.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.

Is anyone able to see what I’m doing wrong here?

Richard Rattigan

Sonos | Sr. Software Engineer | Skype: Richard.RattiganSonos