Looking at jjwt, they do this algorithm:
sign(base64enocdedheader + "." + bsase64encodedContent)
We just sign the content. Just verified that our impl is wrong. I'll
fix this for next release.
On 11/11/2014 7:50 PM, Richard Rattigan wrote:
I’m trying to verify keycloak jwt signatures in a Java/Groovy, but
I’m
not succeeding. I’m new to crypto, so maybe I’m doing something stupid.
This is Groovy code. realmPublicKey is the publicKey string from the
realm REST response. I’m using the jjwt library to parse the tokens, but
I get the same result (signature verification failure) with the nimbus
library:
Security.addProvider(new BouncyCastleProvider())
def publicKey = KeyFactory
.getInstance("RSA", "BC")
.generatePublic(new
X509EncodedKeySpec(realmPublicKey.decodeBase64()))
def claims = Jwts.parser().setSigningKey(publicKey).parse(accessToken)
I get an exception during the parse:
io.jsonwebtoken.SignatureException: JWT signature does not match locally
computed signature. JWT validity cannot be asserted and should not be
trusted.
Is anyone able to see what I’m doing wrong here?
*Richard Rattigan*
Sonos | Sr. Software Engineer | Skype: Richard.RattiganSonos
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com