Re: [keycloak-user] Hitting error -- "Didn't find publicKey for specified kid"

Tuesday, 25 July 2017

Oh you were faster than me on this one ;) , well you can change the log
level of you app in the standalone.xml

On Tue, Jul 25, 2017 at 4:12 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com&gt;
wrote:

...
 Hello Sebastien,

 I was looking at the logs of my app wildfly server ,  as suggested by
 another user Thomas . Here is a relevant exception stack which I see.

 13:56:29,450 ERROR [org.keycloak.adapters.rotation.JWKPublicKeyLocator]
 (default task-12) Error when sending request to retrieve realm keys:
 org.keycloak.adapters.HttpClientAdapterException: IO error
 at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(
 HttpAdapterUtils.java:58)
 at org.keycloak.adapters.rotation.JWKPublicKeyLocator.sendRequest(
 JWKPublicKeyLocator.java:99)
 at org.keycloak.adapters.rotation.JWKPublicKeyLocator.getPublicKey(
 JWKPublicKeyLocator.java:63)
 at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(
 AdapterRSATokenVerifier.java:44)
 at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
 AdapterRSATokenVerifier.java:55)
 at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
 AdapterRSATokenVerifier.java:37)
 at org.keycloak.adapters.BearerTokenRequestAuthenticato
 r.authenticateToken(BearerTokenRequestAuthenticator.java:87)
 at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(
 BearerTokenRequestAuthenticator.java:82)
 at org.keycloak.adapters.RequestAuthenticator.authenticate(
 RequestAuthenticator.java:68)
 at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMe
 ch.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
 at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(
 ServletKeycloakAuthMech.java:92)
 at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
 SecurityContextImpl.java:245)
 at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
 SecurityContextImpl.java:263)
 at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(
 SecurityContextImpl.java:231)
 at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(
 SecurityContextImpl.java:125)
 at io.undertow.security.impl.SecurityContextImpl.authTransition(
 SecurityContextImpl.java:99)
 at io.undertow.security.impl.SecurityContextImpl.authenticate(
 SecurityContextImpl.java:92)
 at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl
 er.handleRequest(ServletAuthenticationCallHandler.java:55)
 at io.undertow.server.handlers.DisableCacheHandler.handleRequest(
 DisableCacheHandler.java:33)
 at io.undertow.server.handlers.PredicateHandler.handleRequest(
 PredicateHandler.java:43)
 at io.undertow.security.handlers.AuthenticationConstraintHandle
 r.handleRequest(AuthenticationConstraintHandler.java:53)
 at io.undertow.security.handlers.AbstractConfidentialityHandler
 .handleRequest(AbstractConfidentialityHandler.java:46)
 at io.undertow.servlet.handlers.security.ServletConfidentialityConstrai
 ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
 at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandl
 er.handleRequest(ServletSecurityConstraintHandler.java:59)
 at io.undertow.security.handlers.AuthenticationMechanismsHandle
 r.handleRequest(AuthenticationMechanismsHandler.java:60)
 at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand
 ler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
 at io.undertow.security.handlers.NotificationReceiverHandler.
 handleRequest(NotificationReceiverHandler.java:50)
 at io.undertow.security.handlers.AbstractSecurityContextAssocia
 tionHandler.handleRequest(AbstractSecurityContextAssocia
 tionHandler.java:43)
 at io.undertow.server.handlers.PredicateHandler.handleRequest(
 PredicateHandler.java:43)
 at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
 handleRequest(JACCContextIdHandler.java:61)
 at io.undertow.server.handlers.PredicateHandler.handleRequest(
 PredicateHandler.java:43)
 at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
 handleRequest(ServletPreAuthActionsHandler.java:69)
 at io.undertow.server.handlers.PredicateHandler.handleRequest(
 PredicateHandler.java:43)
 at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
 ServletInitialHandler.java:292)
 at io.undertow.servlet.handlers.ServletInitialHandler.access$
 100(ServletInitialHandler.java:81)
 at io.undertow.servlet.handlers.ServletInitialHandler$2.call(
 ServletInitialHandler.java:138)
 at io.undertow.servlet.handlers.ServletInitialHandler$2.call(
 ServletInitialHandler.java:135)
 at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(
 ServletRequestContextThreadSetupAction.java:48)
 at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(
 ContextClassLoaderSetupAction.java:43)
 at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
 LegacyThreadSetupActionWrapper.java:44)
 at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
 LegacyThreadSetupActionWrapper.java:44)
 at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
 LegacyThreadSetupActionWrapper.java:44)
 at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
 LegacyThreadSetupActionWrapper.java:44)
 at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
 LegacyThreadSetupActionWrapper.java:44)
 at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
 LegacyThreadSetupActionWrapper.java:44)
 at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
 ServletInitialHandler.java:272)
 at io.undertow.servlet.handlers.ServletInitialHandler.access$
 000(ServletInitialHandler.java:81)
 at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
 ServletInitialHandler.java:104)
 at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
 at io.undertow.server.HttpServerExchange$1.run(
 HttpServerExchange.java:805)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(
 ThreadPoolExecutor.java:1142)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(
 ThreadPoolExecutor.java:617)
 at java.lang.Thread.run(Thread.java:748)
 Caused by: java.net.ConnectException: Connection refused (Connection
 refused)
 at java.net.PlainSocketImpl.socketConnect(Native Method)
 at java.net.AbstractPlainSocketImpl.doConnect(
 AbstractPlainSocketImpl.java:350)
 at java.net.AbstractPlainSocketImpl.connectToAddress(
 AbstractPlainSocketImpl.java:206)
 at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:
 188)
 at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
 at java.net.Socket.connect(Socket.java:589)
 at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(
 PlainSocketFactory.java:117)
 at org.apache.http.impl.conn.DefaultClientConnectionOperato
 r.openConnection(DefaultClientConnectionOperator.java:177)
 at org.apache.http.impl.conn.AbstractPoolEntry.open(
 AbstractPoolEntry.java:144)
 at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(
 AbstractPooledConnAdapter.java:131)
 at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(
 DefaultRequestDirector.java:611)
 at org.apache.http.impl.client.DefaultRequestDirector.execute(
 DefaultRequestDirector.java:446)
 at org.apache.http.impl.client.AbstractHttpClient.doExecute(
 AbstractHttpClient.java:882)
 at org.apache.http.impl.client.CloseableHttpClient.execute(
 CloseableHttpClient.java:82)
 at org.apache.http.impl.client.CloseableHttpClient.execute(
 CloseableHttpClient.java:107)
 at org.apache.http.impl.client.CloseableHttpClient.execute(
 CloseableHttpClient.java:55)
 at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(
 HttpAdapterUtils.java:37)
 ... 52 more
 2017-07-25T13:56:29.452564496Z
 13:56:29,454 ERROR [org.keycloak.adapters.rotation.AdapterRSATokenVerifier]
 (default task-12) Didn't find publicKey for kid: RHESicBPoNCwhBnBLEk_
 8X4ufj5WyuTo20zbzOo4HfQ
 13:56:29,454 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator]
 (default task-12) Failed to verify token: org.keycloak.common.VerificationException:
 Didn't find publicKey for specified kid
 at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(
 AdapterRSATokenVerifier.java:47)
 at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
 AdapterRSATokenVerifier.java:55)
 at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
 AdapterRSATokenVerifier.java:37)
 at org.keycloak.adapters.BearerTokenRequestAuthenticato
 r.authenticateToken(BearerTokenRequestAuthenticator.java:87)
 at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(
 BearerTokenRequestAuthenticator.java:82)
 at org.keycloak.adapters.RequestAuthenticator.authenticate(
 RequestAuthenticator.java:68)
 at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMe
 ch.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
 at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(
 ServletKeycloakAuthMech.java:92)
 at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
 SecurityContextImpl.java:245)
 at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
 SecurityContextImpl.java:263)
 at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(
 SecurityContextImpl.java:231)
 at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(
 SecurityContextImpl.java:125)
 at io.undertow.security.impl.SecurityContextImpl.authTransition(
 SecurityContextImpl.java:99)
 at io.undertow.security.impl.SecurityContextImpl.authenticate(
 SecurityContextImpl.java:92)
 at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl
 er.handleRequest(ServletAuthenticationCallHandler.java:55)
 at io.undertow.server.handlers.DisableCacheHandler.handleRequest(
 DisableCacheHandler.java:33)
 at io.undertow.server.handlers.PredicateHandler.handleRequest(
 PredicateHandler.java:43)
 at io.undertow.security.handlers.AuthenticationConstraintHandle
 r.handleRequest(AuthenticationConstraintHandler.java:53)
 at io.undertow.security.handlers.AbstractConfidentialityHandler
 .handleRequest(AbstractConfidentialityHandler.java:46)
 at io.undertow.servlet.handlers.security.ServletConfidentialityConstrai
 ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
 at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandl
 er.handleRequest(ServletSecurityConstraintHandler.java:59)
 at io.undertow.security.handlers.AuthenticationMechanismsHandle
 r.handleRequest(AuthenticationMechanismsHandler.java:60)
 at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand
 ler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
 at io.undertow.security.handlers.NotificationReceiverHandler.
 handleRequest(NotificationReceiverHandler.java:50)
 at io.undertow.security.handlers.AbstractSecurityContextAssocia
 tionHandler.handleRequest(AbstractSecurityContextAssocia
 tionHandler.java:43)
 at io.undertow.server.handlers.PredicateHandler.handleRequest(
 PredicateHandler.java:43)
 at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
 handleRequest(JACCContextIdHandler.java:61)
 at io.undertow.server.handlers.PredicateHandler.handleRequest(
 PredicateHandler.java:43)
 at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
 handleRequest(ServletPreAuthActionsHandler.java:69)
 at io.undertow.server.handlers.PredicateHandler.handleRequest(
 PredicateHandler.java:43)
 at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
 ServletInitialHandler.java:292)
 at io.undertow.servlet.handlers.ServletInitialHandler.access$
 100(ServletInitialHandler.java:81)
 at io.undertow.servlet.handlers.ServletInitialHandler$2.call(
 ServletInitialHandler.java:138)
 at io.undertow.servlet.handlers.ServletInitialHandler$2.call(
 ServletInitialHandler.java:135)
 at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(
 ServletRequestContextThreadSetupAction.java:48)
 at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(
 ContextClassLoaderSetupAction.java:43)
 at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
 LegacyThreadSetupActionWrapper.java:44)
 at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
 LegacyThreadSetupActionWrapper.java:44)
 at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
 LegacyThreadSetupActionWrapper.java:44)
 at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
 LegacyThreadSetupActionWrapper.java:44)
 at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
 LegacyThreadSetupActionWrapper.java:44)
 at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
 LegacyThreadSetupActionWrapper.java:44)
 at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
 ServletInitialHandler.java:272)
 at io.undertow.servlet.handlers.ServletInitialHandler.access$
 000(ServletInitialHandler.java:81)
 at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
 ServletInitialHandler.java:104)
 at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
 at io.undertow.server.HttpServerExchange$1.run(
 HttpServerExchange.java:805)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(
 ThreadPoolExecutor.java:1142)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(
 ThreadPoolExecutor.java:617)
 at java.lang.Thread.run(Thread.java:748)

 Is there a way to enhance the log level at the client ( i mean keycloak
 adapter ) ,  to see if it is a http connection issue or something else ??

 Thanks,
 Rajesh

 On Tue, Jul 25, 2017 at 7:36 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com&gt;
 wrote:

> Here is the response from curl ---
>
> $ curl -v http://192.168.99.100:8080/OlpUIFwk2-1.0-SNAPSHOT/services/
> sec/rest/us
> erservice/users  -H "Authorization:  Bearer $KEY"
> *   Trying 192.168.99.100...
> * Connected to 192.168.99.100 (192.168.99.100) port 8080 (#0)
> > GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
> HTTP/1.1
> > Host: 192.168.99.100:8080
> > User-Agent: curl/7.50.1
> > Accept: */*
> > Authorization:  Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
> AiSldUIiwia2lkIiA6ICJSSEV
> TaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeXVUbzIwemJ6T280SGZRIn0.eyJ
> qdGkiOiJkNmY2MmM5YS1
> hNjAwLTQ4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDg
> sIm5iZiI6MCwiaWF0Ijo
> xNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzAwMDE
> vYXV0aC9yZWFsbXMvYmt
> vZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ
> 2YmMtOWU4MS05MjE1Zjg
> zYjVjOTgiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXR
> oX3RpbWUiOjAsInNlc3N
> pb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhMjEzOTZ
> lNjciLCJhY3IiOiIxIiw
> iY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWF
> kYTY2NmE4Y2EiLCJhbGx
> vd2VkLW9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0
> sInJlYWxtX2FjY2VzcyI
> 6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sInJlc29
> 1cmNlX2FjY2VzcyI6eyJ
> yZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV
> 3LWlkZW50aXR5LXByb3Z
> pZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF
> 0aW9uIiwicmVhbG0tYWR
> taW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy1hdXR
> ob3JpemF0aW9uIiwibWF
> uYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidml
> ldy11c2VycyIsInZpZXc
> tY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWV
> udHMiXX0sImFjY291bnQ
> iOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1
> saW5rcyIsInZpZXctcHJ
> vZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXB
> lcmFkbWluIiwiZW1haWw
> iOiJ0cmlsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5Hv
> G3x5WBI3ZcC4WEcBA3NU
> L-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM
> 6zLk7cy0UKig5ghHX1-g
> Xb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1
> iUXAaCZ5fIdXs3epdG82
> NhJrjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82poh
> W6RQMAZmGyMVofsxH_uR
> rEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
> >
> < HTTP/1.1 401 Unauthorized
> < Expires: 0
> < Cache-Control: no-cache, no-store, must-revalidate
> < X-Powered-By: Undertow/1
> < Server: WildFly/10
> < Pragma: no-cache
> < Date: Tue, 25 Jul 2017 14:04:31 GMT
> < Connection: keep-alive
> < WWW-Authenticate: Bearer realm="bkofc",
error="invalid_token",
> error_description="Didn't find publicKey for specified kid"
> < Content-Type: text/html;charset=UTF-8
> < Content-Length: 71
> <
> * Connection #0 to host 192.168.99.100 left intact
>
<html><head><title>Error</title></head><body>Unauthorized</body></html>$
> $
>
> Thanks,
> Rajesh
>
> On Tue, Jul 25, 2017 at 7:30 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com&gt;
> wrote:
>
>> Sure. I was using postman to invoke the service. This is the command
>> used by postman --
>>
>> ------------------------------------------------------------------------
>>
>> GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users HTTP/1.1
>> Host: 192.168.99.100:8080
>> Authorization: Bearer  eyJhbGciOiJSUzI1NiIsInR5cCIgO
>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM6zLk7
>> cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8b
>> qyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzUg9JY2Dkvg
>> _tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVofsxH_
>> uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>> Cache-Control: no-cache
>> Postman-Token: d378eefe-82c8-9c3d-0140-ef56c62f9b97
>>
>>
>> ------------------------------------------------------------
>> ---------------
>>
>> The "userservice" is my own service for other attributes of users. I
>> also made sure that the service executes without the security.
>>
>> Thanks,
>> Rajesh
>>
>>
>> On Tue, Jul 25, 2017 at 7:24 PM, Sebastien Blanc <sblanc(a)redhat.com&gt;
>> wrote:
>>
>>> Okay, to have the complete picture could paste the command you issue to
>>> call your REST service ?
>>>
>>>
>>> On Tue, Jul 25, 2017 at 3:50 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com&gt;
>>> wrote:
>>>
>>>> Sebastien,
>>>>
>>>> Here is a token response -
>>>>
>>>> {
>>>>   "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>>> 09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFw
>>>> DmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzU
>>>> g9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVof
>>>> sxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw",
>>>>   "expires_in": 300,
>>>>   "refresh_expires_in": 1800,
>>>>   "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLTQwY2ItY
>>>> TE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZiI6MCwia
>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>> XAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW1lIjowL
>>>> CJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MTktMDg5Y
>>>> TIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1Z
>>>> DQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiO
>>>> lsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc
>>>> 3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtI
>>>> iwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktc
>>>> HJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlY
>>>> XRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaXphdGlvb
>>>> iIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50c
>>>> yIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9ya
>>>> XphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzI
>>>> jpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2a
>>>> WV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKI
>>>> hIF6Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46-
>>>> EXGJQkqH4NNqZ1W_1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvai
>>>> ucFCa8H599Ox6QRE3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHRdCv
>>>> _rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqnAdG
>>>> gDnL5jCCRLTVFnPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sampLww",
>>>>   "token_type": "bearer",
>>>>   "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LTRhNTgtO
>>>> TJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>> XAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MCwic2Vzc
>>>> 2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OWEyMTM5N
>>>> mU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lI
>>>> joic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tI
>>>> n0.eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_XOXUmHAuih
>>>> xXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVB
>>>> n_kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6
>>>> bG8cyJHQ4_FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYO
>>>> p4lJpU5JqeaVmYp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st-
>>>> Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg",
>>>>   "not-before-policy": 0,
>>>>   "session_state":
"3231f46f-229b-42d3-a419-089a21396e67"
>>>> }
>>>>
>>>>
>>>> I checked it in jwt.io . The kid is same as the "rsa-generated"
one,
>>>> shown in the screen shot I shared yesterday. Although jwt complained as
>>>> "Invalid Signature" .
>>>>
>>>>
>>>> Thomas, the connectivity should not be an issue as I am able to get
>>>> the access token from  my app wildfly server using curl. So keycloak is
>>>> reachable from my wildfly server. Anything specific you did to resolve
your
>>>> issue ?
>>>>
>>>> Regards,
>>>> Rajesh
>>>>
>>>> On Tue, Jul 25, 2017 at 11:12 AM, Sebastien Blanc
<sblanc(a)redhat.com&gt;
>>>> wrote:
>>>>
>>>>> This looks all correct. Could you try paste your access token or
even
>>>>> check it your self on jwt.io to see if the kid is present ?
>>>>>
>>>>>
>>>>> On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com
>>>>> > wrote:
>>>>>
>>>>>> Sebastien,
>>>>>>
>>>>>> I am attaching a pdf containing the screen shots.  Few more
points I
>>>>>> wanted to mention.
>>>>>>
>>>>>> i)  I didn't install the public client  --
"bkofc-web"  in the
>>>>>> wildfly container which hosts my REST services. I did it for 
"bkofc-svc"
>>>>>>  client which is bearer only. I hope that is the correct
approach.
>>>>>> ii)  Both keycloak and my application are running on docker
>>>>>> containers locally in my laptop.
>>>>>>
>>>>>> Let me know if you need anything else to analyze.
>>>>>>
>>>>>> Thanks,
>>>>>> Rajesh
>>>>>>
>>>>>>
>>>>>> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien Blanc
<sblanc(a)redhat.com&gt;
>>>>>> wrote:
>>>>>>
>>>>>>> yes please
>>>>>>>
>>>>>>> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh <
>>>>>>> ghosh.rajesh(a)gmail.com&gt; wrote:
>>>>>>>
>>>>>>>> Yes definitely. I did replace it with the actual war
name. Let me
>>>>>>>> know if you would like me to paste screen shots of realm
configurations,
>>>>>>>> client configurations.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Rajesh
>>>>>>>>
>>>>>>>> On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc <
>>>>>>>> sblanc(a)redhat.com&gt; wrote:
>>>>>>>>
>>>>>>>>> Ok and for :
>>>>>>>>> <secure-deployment name="my war
file.war">
>>>>>>>>>
>>>>>>>>> Did you replace that with the actual name of your war
file ?
>>>>>>>>>
>>>>>>>>> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh <
>>>>>>>>> ghosh.rajesh(a)gmail.com&gt; wrote:
>>>>>>>>>
>>>>>>>>>> Hello Sebastien,
>>>>>>>>>>
>>>>>>>>>> I am using 3.1.0.Final build.
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Rajesh
>>>>>>>>>>
>>>>>>>>>> On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc
<
>>>>>>>>>> sblanc(a)redhat.com&gt; wrote:
>>>>>>>>>>
>>>>>>>>>>> Which version of Keycloak are you using ?
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh
<
>>>>>>>>>>> ghosh.rajesh(a)gmail.com&gt; wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> I am trying to secure my REST services
using the method
>>>>>>>>>>>> described in the
>>>>>>>>>>>> document --
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>>>>>>>>>>> ak-securing.html
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I am securing my war using JBoss
subsystem , instead of
>>>>>>>>>>>> per-war option. The
>>>>>>>>>>>> relevant sections from my standalone.xml 
are posted below.
>>>>>>>>>>>>
>>>>>>>>>>>>     <extensions>
>>>>>>>>>>>>          ......
>>>>>>>>>>>>         <extension
module="org.keycloak.keycloak-
>>>>>>>>>>>> adapter-subsystem"/>
>>>>>>>>>>>>     </extensions>
>>>>>>>>>>>>
>>>>>>>>>>>>          <security-domains>
>>>>>>>>>>>>                 .....
>>>>>>>>>>>>                 <security-domain
name="keycloak">
>>>>>>>>>>>>                    
<authentication>
>>>>>>>>>>>>                         <login-module
>>>>>>>>>>>>
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>>>>>>>> flag="required"/>
>>>>>>>>>>>>                    
</authentication>
>>>>>>>>>>>>                 </security-domain>
>>>>>>>>>>>>             </security-domains>
>>>>>>>>>>>>
>>>>>>>>>>>>         <subsystem
xmlns="urn:jboss:domain:keycloak:1.1">
>>>>>>>>>>>>             <secure-deployment
name="my war file.war">
>>>>>>>>>>>>                
<realm>bkofc</realm>
>>>>>>>>>>>>                
<resource>bkofc-svc</resource>
>>>>>>>>>>>>
>>>>>>>>>>>>
<use-resource-role-mappings>true</use-resource-role-mappings>
>>>>>>>>>>>>                
<bearer-only>true</bearer-only>
>>>>>>>>>>>>                
<auth-server-url>http://192.16
>>>>>>>>>>>> 8.99.100/30001/auth
>>>>>>>>>>>> </auth-server-url>
>>>>>>>>>>>>                
<ssl-required>none</ssl-required>
>>>>>>>>>>>>                 <credential
>>>>>>>>>>>>
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credenti
>>>>>>>>>>>> al>
>>>>>>>>>>>>             </secure-deployment>
>>>>>>>>>>>>         </subsystem>
>>>>>>>>>>>>
>>>>>>>>>>>> I am able to obtain the access token.
>>>>>>>>>>>>
>>>>>>>>>>>> curl -i  curl --data
>>>>>>>>>>>>
"grant_type=password&client_id=bkofc-web&username=user&passw
>>>>>>>>>>>> ord=password"
>>>>>>>>>>>>
http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>>>>>>>>>>>> d-connect/token
>>>>>>>>>>>>
>>>>>>>>>>>> Note:- I have created 2 clients -- i) 
bkofc-svc which is
>>>>>>>>>>>> bearer only, for
>>>>>>>>>>>> my REST services  ii) bkofc-web , a
public client to simulate
>>>>>>>>>>>> UI login
>>>>>>>>>>>>
>>>>>>>>>>>> However when I try to use the access
token to invoke a
>>>>>>>>>>>> service, I am
>>>>>>>>>>>> getting the error -
>>>>>>>>>>>>
>>>>>>>>>>>> Status: 401
>>>>>>>>>>>>
>>>>>>>>>>>> WWW-Authenticate Bearer
realm="bkofc", error="invalid_token",
>>>>>>>>>>>> error_description="Didn't find
publicKey for specified kid"
>>>>>>>>>>>>
>>>>>>>>>>>> Please let me know if I am missing
something here. I have been
>>>>>>>>>>>> breaking my
>>>>>>>>>>>> head last few days without any luck !  I
have also tried
>>>>>>>>>>>> rotating the realm
>>>>>>>>>>>> keys.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Re: [keycloak-user] Hitting error -- "Didn't find publicKey for specified kid"