Re: [keycloak-user] Hitting error -- "Didn't find publicKey for specified kid"

Tuesday, 25 July 2017

Well, first I allowed all roles in my web.xml  as in --

        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>

Even then I was hitting the issue. Then while I was going through the
client installation for wildfly subsystem, I read about the
use-resource-role-mapping --

<secure-deployment name="WAR MODULE NAME.war">
    <realm>bkofc</realm>
    <auth-server-url>http://192.168.99.100:30001/auth</auth-server-url>
    <bearer-only>true</bearer-only>
    <ssl-required>NONE</ssl-required>
    <resource>bkofc-svc</resource>
    <credential
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential>
    <use-resource-role-mappings>true</use-resource-role-mappings>
</secure-deployment>

It was set to true,  as provided in keycloak console. When I turned it to
the default value "false" ,  everything started working.  Do we know which
client configuration parameter , controls this element ? By default it
should have the default value "false",  isn't it ??

Thanks for all your help into this.

Regards,
Rajesh

On Tue, Jul 25, 2017 at 8:45 PM, Sebastien Blanc <sblanc(a)redhat.com&gt; wrote:

...
 403, you have probably something not setup correctly with your
user's
 role.

 On Tue, Jul 25, 2017 at 5:09 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com&gt;
 wrote:

> Sebastien,
>
> I could get past the 401 error after rectifying the url issue. However I
> am hitting 403 - Unauthorized exception now and there is no exception in
> log. Still investigating. But thanks for your support on the original
> issue.
>
> @Thomas Recloux ,  thank you for the tips as well.
>
> Regards,
> Rajesh
>
> On Tue, Jul 25, 2017 at 7:48 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com&gt;
> wrote:
>
>> OMG ! That was stupid ! Let me rectify that and try again.
>>
>> Thanks so much for pointing out.
>>
>> Regards,
>> Rajesh
>>
>> On Tue, Jul 25, 2017 at 7:47 PM, Sebastien Blanc <sblanc(a)redhat.com&gt;
>> wrote:
>>
>>> Oh I think I found it : <auth-server-url>http://192.16
>>> 8.99.100/30001/auth
>>> </auth-server-url>
>>> You have a typo there , shouldn't it be http://192.168.99.100:30001/au
>>> th
>>>
<http://192.168.99.100:30001/auth/realms/bkofc/protocol/openid-connect/tok...
>>> , notice the ":" instead of "/"
>>>
>>> On Tue, Jul 25, 2017 at 4:14 PM, Sebastien Blanc <sblanc(a)redhat.com&gt;
>>> wrote:
>>>
>>>> Oh you were faster than me on this one ;) , well you can change the
>>>> log level of you app in the standalone.xml
>>>>
>>>> On Tue, Jul 25, 2017 at 4:12 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com&gt;
>>>> wrote:
>>>>
>>>>> Hello Sebastien,
>>>>>
>>>>> I was looking at the logs of my app wildfly server ,  as suggested
by
>>>>> another user Thomas . Here is a relevant exception stack which I
see.
>>>>>
>>>>> 13:56:29,450 ERROR
[org.keycloak.adapters.rotation.JWKPublicKeyLocator]
>>>>> (default task-12) Error when sending request to retrieve realm keys:
>>>>> org.keycloak.adapters.HttpClientAdapterException: IO error
>>>>> at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(H
>>>>> ttpAdapterUtils.java:58)
>>>>> at org.keycloak.adapters.rotation.JWKPublicKeyLocator.sendReque
>>>>> st(JWKPublicKeyLocator.java:99)
>>>>> at org.keycloak.adapters.rotation.JWKPublicKeyLocator.getPublic
>>>>> Key(JWKPublicKeyLocator.java:63)
>>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPu
>>>>> blicKey(AdapterRSATokenVerifier.java:44)
>>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>>>> yToken(AdapterRSATokenVerifier.java:55)
>>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>>>> yToken(AdapterRSATokenVerifier.java:37)
>>>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>>>> ticateToken(BearerTokenRequestAuthenticator.java:87)
>>>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>>>> ticate(BearerTokenRequestAuthenticator.java:82)
>>>>> at org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
>>>>> estAuthenticator.java:68)
>>>>> at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthM
>>>>> ech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>>>>> at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authe
>>>>> nticate(ServletKeycloakAuthMech.java:92)
>>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>>> transition(SecurityContextImpl.java:245)
>>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>>> transition(SecurityContextImpl.java:263)
>>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>>> access$100(SecurityContextImpl.java:231)
>>>>> at io.undertow.security.impl.SecurityContextImpl.attemptAuthent
>>>>> ication(SecurityContextImpl.java:125)
>>>>> at io.undertow.security.impl.SecurityContextImpl.authTransition
>>>>> (SecurityContextImpl.java:99)
>>>>> at io.undertow.security.impl.SecurityContextImpl.authenticate(S
>>>>> ecurityContextImpl.java:92)
>>>>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>>>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>>>>> at io.undertow.server.handlers.DisableCacheHandler.handleReques
>>>>> t(DisableCacheHandler.java:33)
>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at io.undertow.security.handlers.AuthenticationConstraintHandle
>>>>> r.handleRequest(AuthenticationConstraintHandler.java:53)
>>>>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>>>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>>>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>>>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>>>> aintHandler.java:64)
>>>>> at io.undertow.servlet.handlers.security.ServletSecurityConstra
>>>>> intHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
>>>>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>>>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>>>>> ndleRequest(NotificationReceiverHandler.java:50)
>>>>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>>>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>>>> Handler.java:43)
>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
>>>>> handleRequest(ServletPreAuthActionsHandler.java:69)
>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>>>> stRequest(ServletInitialHandler.java:292)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$10
>>>>> 0(ServletInitialHandler.java:81)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>>>> rvletInitialHandler.java:138)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>>>> rvletInitialHandler.java:135)
>>>>> at io.undertow.servlet.core.ServletRequestContextThreadSetupAct
>>>>> ion$1.call(ServletRequestContextThreadSetupAction.java:48)
>>>>> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.cal
>>>>> l(ContextClassLoaderSetupAction.java:43)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>>>> equest(ServletInitialHandler.java:272)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>>>> 0(ServletInitialHandler.java:81)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>>>> equest(ServletInitialHandler.java:104)
>>>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.
>>>>> java:202)
>>>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>>>> ge.java:805)
>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>>> Executor.java:1142)
>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>>> lExecutor.java:617)
>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>> Caused by: java.net.ConnectException: Connection refused (Connection
>>>>> refused)
>>>>> at java.net.PlainSocketImpl.socketConnect(Native Method)
>>>>> at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSock
>>>>> etImpl.java:350)
>>>>> at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPl
>>>>> ainSocketImpl.java:206)
>>>>> at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocket
>>>>> Impl.java:188)
>>>>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>>>>> at java.net.Socket.connect(Socket.java:589)
>>>>> at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket
>>>>> (PlainSocketFactory.java:117)
>>>>> at org.apache.http.impl.conn.DefaultClientConnectionOperator.op
>>>>> enConnection(DefaultClientConnectionOperator.java:177)
>>>>> at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoo
>>>>> lEntry.java:144)
>>>>> at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(Abs
>>>>> tractPooledConnAdapter.java:131)
>>>>> at org.apache.http.impl.client.DefaultRequestDirector.tryConnec
>>>>> t(DefaultRequestDirector.java:611)
>>>>> at org.apache.http.impl.client.DefaultRequestDirector.execute(D
>>>>> efaultRequestDirector.java:446)
>>>>> at org.apache.http.impl.client.AbstractHttpClient.doExecute(Abs
>>>>> tractHttpClient.java:882)
>>>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>>>> eableHttpClient.java:82)
>>>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>>>> eableHttpClient.java:107)
>>>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>>>> eableHttpClient.java:55)
>>>>> at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(H
>>>>> ttpAdapterUtils.java:37)
>>>>> ... 52 more
>>>>> 2017-07-25T13:56:29.452564496Z
>>>>> 13:56:29,454 ERROR
[org.keycloak.adapters.rotation.AdapterRSATokenVerifier]
>>>>> (default task-12) Didn't find publicKey for kid:
>>>>> RHESicBPoNCwhBnBLEk_8X4ufj5WyuTo20zbzOo4HfQ
>>>>> 13:56:29,454 ERROR
[org.keycloak.adapters.BearerTokenRequestAuthenticator]
>>>>> (default task-12) Failed to verify token:
org.keycloak.common.VerificationException:
>>>>> Didn't find publicKey for specified kid
>>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPu
>>>>> blicKey(AdapterRSATokenVerifier.java:47)
>>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>>>> yToken(AdapterRSATokenVerifier.java:55)
>>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>>>> yToken(AdapterRSATokenVerifier.java:37)
>>>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>>>> ticateToken(BearerTokenRequestAuthenticator.java:87)
>>>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>>>> ticate(BearerTokenRequestAuthenticator.java:82)
>>>>> at org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
>>>>> estAuthenticator.java:68)
>>>>> at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthM
>>>>> ech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>>>>> at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authe
>>>>> nticate(ServletKeycloakAuthMech.java:92)
>>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>>> transition(SecurityContextImpl.java:245)
>>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>>> transition(SecurityContextImpl.java:263)
>>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>>> access$100(SecurityContextImpl.java:231)
>>>>> at io.undertow.security.impl.SecurityContextImpl.attemptAuthent
>>>>> ication(SecurityContextImpl.java:125)
>>>>> at io.undertow.security.impl.SecurityContextImpl.authTransition
>>>>> (SecurityContextImpl.java:99)
>>>>> at io.undertow.security.impl.SecurityContextImpl.authenticate(S
>>>>> ecurityContextImpl.java:92)
>>>>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>>>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>>>>> at io.undertow.server.handlers.DisableCacheHandler.handleReques
>>>>> t(DisableCacheHandler.java:33)
>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at io.undertow.security.handlers.AuthenticationConstraintHandle
>>>>> r.handleRequest(AuthenticationConstraintHandler.java:53)
>>>>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>>>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>>>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>>>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>>>> aintHandler.java:64)
>>>>> at io.undertow.servlet.handlers.security.ServletSecurityConstra
>>>>> intHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
>>>>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>>>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>>>>> ndleRequest(NotificationReceiverHandler.java:50)
>>>>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>>>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>>>> Handler.java:43)
>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
>>>>> handleRequest(ServletPreAuthActionsHandler.java:69)
>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>>>> stRequest(ServletInitialHandler.java:292)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$10
>>>>> 0(ServletInitialHandler.java:81)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>>>> rvletInitialHandler.java:138)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>>>> rvletInitialHandler.java:135)
>>>>> at io.undertow.servlet.core.ServletRequestContextThreadSetupAct
>>>>> ion$1.call(ServletRequestContextThreadSetupAction.java:48)
>>>>> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.cal
>>>>> l(ContextClassLoaderSetupAction.java:43)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>>>> equest(ServletInitialHandler.java:272)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>>>> 0(ServletInitialHandler.java:81)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>>>> equest(ServletInitialHandler.java:104)
>>>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.
>>>>> java:202)
>>>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>>>> ge.java:805)
>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>>> Executor.java:1142)
>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>>> lExecutor.java:617)
>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>
>>>>> Is there a way to enhance the log level at the client ( i mean
>>>>> keycloak adapter ) ,  to see if it is a http connection issue or
something
>>>>> else ??
>>>>>
>>>>> Thanks,
>>>>> Rajesh
>>>>>
>>>>> On Tue, Jul 25, 2017 at 7:36 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com
>>>>> > wrote:
>>>>>
>>>>>> Here is the response from curl ---
>>>>>>
>>>>>> $ curl -v http://192.168.99.100:8080/Olp
>>>>>> UIFwk2-1.0-SNAPSHOT/services/sec/rest/us
>>>>>> erservice/users  -H "Authorization:  Bearer $KEY"
>>>>>> *   Trying 192.168.99.100...
>>>>>> * Connected to 192.168.99.100 (192.168.99.100) port 8080 (#0)
>>>>>> > GET
/OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
>>>>>> HTTP/1.1
>>>>>> > Host: 192.168.99.100:8080
>>>>>> > User-Agent: curl/7.50.1
>>>>>> > Accept: */*
>>>>>> > Authorization:  Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
>>>>>> AiSldUIiwia2lkIiA6ICJSSEV
>>>>>> TaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeXVUbzIwemJ6T280SGZRIn0.eyJ
>>>>>> qdGkiOiJkNmY2MmM5YS1
>>>>>> hNjAwLTQ4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDg
>>>>>> sIm5iZiI6MCwiaWF0Ijo
>>>>>> xNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzAwMDE
>>>>>> vYXV0aC9yZWFsbXMvYmt
>>>>>> vZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ
>>>>>> 2YmMtOWU4MS05MjE1Zjg
>>>>>> zYjVjOTgiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXR
>>>>>> oX3RpbWUiOjAsInNlc3N
>>>>>> pb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhMjEzOTZ
>>>>>> lNjciLCJhY3IiOiIxIiw
>>>>>> iY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWF
>>>>>> kYTY2NmE4Y2EiLCJhbGx
>>>>>> vd2VkLW9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0
>>>>>> sInJlYWxtX2FjY2VzcyI
>>>>>> 6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sInJlc29
>>>>>> 1cmNlX2FjY2VzcyI6eyJ
>>>>>> yZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV
>>>>>> 3LWlkZW50aXR5LXByb3Z
>>>>>> pZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF
>>>>>> 0aW9uIiwicmVhbG0tYWR
>>>>>> taW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy1hdXR
>>>>>> ob3JpemF0aW9uIiwibWF
>>>>>> uYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidml
>>>>>> ldy11c2VycyIsInZpZXc
>>>>>> tY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWV
>>>>>> udHMiXX0sImFjY291bnQ
>>>>>> iOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1
>>>>>> saW5rcyIsInZpZXctcHJ
>>>>>> vZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXB
>>>>>> lcmFkbWluIiwiZW1haWw
>>>>>> iOiJ0cmlsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5Hv
>>>>>> G3x5WBI3ZcC4WEcBA3NU
>>>>>> L-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM
>>>>>> 6zLk7cy0UKig5ghHX1-g
>>>>>> Xb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1
>>>>>> iUXAaCZ5fIdXs3epdG82
>>>>>> NhJrjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82poh
>>>>>> W6RQMAZmGyMVofsxH_uR
>>>>>> rEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>>>>>> >
>>>>>> < HTTP/1.1 401 Unauthorized
>>>>>> < Expires: 0
>>>>>> < Cache-Control: no-cache, no-store, must-revalidate
>>>>>> < X-Powered-By: Undertow/1
>>>>>> < Server: WildFly/10
>>>>>> < Pragma: no-cache
>>>>>> < Date: Tue, 25 Jul 2017 14:04:31 GMT
>>>>>> < Connection: keep-alive
>>>>>> < WWW-Authenticate: Bearer realm="bkofc",
error="invalid_token",
>>>>>> error_description="Didn't find publicKey for specified
kid"
>>>>>> < Content-Type: text/html;charset=UTF-8
>>>>>> < Content-Length: 71
>>>>>> <
>>>>>> * Connection #0 to host 192.168.99.100 left intact
>>>>>>
<html><head><title>Error</title></head><body>Unauthorized</b
>>>>>> ody></html>$
>>>>>> $
>>>>>>
>>>>>> Thanks,
>>>>>> Rajesh
>>>>>>
>>>>>> On Tue, Jul 25, 2017 at 7:30 PM, Rajesh Ghosh <
>>>>>> ghosh.rajesh(a)gmail.com&gt; wrote:
>>>>>>
>>>>>>> Sure. I was using postman to invoke the service. This is the
>>>>>>> command used by postman --
>>>>>>>
>>>>>>> ------------------------------------------------------------
>>>>>>> ------------
>>>>>>>
>>>>>>> GET
/OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
>>>>>>> HTTP/1.1
>>>>>>> Host: 192.168.99.100:8080
>>>>>>> Authorization: Bearer  eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>>>>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>>>>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>>>>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>>>>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>>>>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>>>>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>>>>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>>>>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>>>>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>>>>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>>>>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>>>>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>>>>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>>>>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>>>>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>>>>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>>>>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>>>>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>>>>>> 09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFw
>>>>>>> DmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzU
>>>>>>> g9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVof
>>>>>>>
sxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>>>>>>> Cache-Control: no-cache
>>>>>>> Postman-Token: d378eefe-82c8-9c3d-0140-ef56c62f9b97
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------
>>>>>>> ---------------
>>>>>>>
>>>>>>> The "userservice" is my own service for other
attributes of users.
>>>>>>> I also made sure that the service executes without the
security.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Rajesh
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Jul 25, 2017 at 7:24 PM, Sebastien Blanc
<sblanc(a)redhat.com
>>>>>>> > wrote:
>>>>>>>
>>>>>>>> Okay, to have the complete picture could paste the
command you
>>>>>>>> issue to call your REST service ?
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Jul 25, 2017 at 3:50 PM, Rajesh Ghosh <
>>>>>>>> ghosh.rajesh(a)gmail.com&gt; wrote:
>>>>>>>>
>>>>>>>>> Sebastien,
>>>>>>>>>
>>>>>>>>> Here is a token response -
>>>>>>>>>
>>>>>>>>> {
>>>>>>>>>   "access_token":
"eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>>>>
iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>>>>
XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>>>>>>>>
mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>>>>>>
WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>>>>
zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>>>>
WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>>>>
XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>>>>>>>>
nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>>>>>>>>
jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>>>>>>>>
C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>>>>>>>>
nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>>>>>>>>
2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>>>>>>>>
nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>>>>>>>>
jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>>>>>>>>
mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>>>>>>>>
G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>>>>>>>>
y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>>>>>>>>
SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>>>>>>>>
m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>>>>>>>>
291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>>>>>>>>
3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>>>>>>>>
XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>>>>>>>>
GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>>>>>>>>
cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>>>>>>>>
09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFw
>>>>>>>>>
DmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzU
>>>>>>>>>
g9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVof
>>>>>>>>>
sxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAeg
>>>>>>>>> mCpw",
>>>>>>>>>   "expires_in": 300,
>>>>>>>>>   "refresh_expires_in": 1800,
>>>>>>>>>   "refresh_token":
"eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>>>>
iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>>>>
XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLTQwY2ItY
>>>>>>>>>
TE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZiI6MCwia
>>>>>>>>>
WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>>>>
zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>>>>
WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>>>>
XAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW1lIjowL
>>>>>>>>>
CJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MTktMDg5Y
>>>>>>>>>
TIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1Z
>>>>>>>>>
DQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiO
>>>>>>>>>
lsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc
>>>>>>>>>
3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtI
>>>>>>>>>
iwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktc
>>>>>>>>>
HJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlY
>>>>>>>>>
XRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaXphdGlvb
>>>>>>>>>
iIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50c
>>>>>>>>>
yIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9ya
>>>>>>>>>
XphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzI
>>>>>>>>>
jpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2a
>>>>>>>>>
WV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKI
>>>>>>>>>
hIF6Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46-
>>>>>>>>>
EXGJQkqH4NNqZ1W_1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvai
>>>>>>>>>
ucFCa8H599Ox6QRE3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHRdCv
>>>>>>>>>
_rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqnAdG
>>>>>>>>>
gDnL5jCCRLTVFnPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sam
>>>>>>>>> pLww",
>>>>>>>>>   "token_type": "bearer",
>>>>>>>>>   "id_token":
"eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>>>>
iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>>>>
XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LTRhNTgtO
>>>>>>>>>
TJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>>>>>>
WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>>>>
zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>>>>
WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>>>>
XAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MCwic2Vzc
>>>>>>>>>
2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OWEyMTM5N
>>>>>>>>>
mU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lI
>>>>>>>>>
joic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tI
>>>>>>>>>
n0.eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_XOXUmHAuih
>>>>>>>>>
xXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVB
>>>>>>>>>
n_kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6
>>>>>>>>>
bG8cyJHQ4_FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYO
>>>>>>>>>
p4lJpU5JqeaVmYp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st-
>>>>>>>>> Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg",
>>>>>>>>>   "not-before-policy": 0,
>>>>>>>>>   "session_state":
"3231f46f-229b-42d3-a419-089a21396e67"
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I checked it in jwt.io . The kid is same as the
"rsa-generated"
>>>>>>>>> one, shown in the screen shot I shared yesterday.
Although jwt complained
>>>>>>>>> as "Invalid Signature" .
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thomas, the connectivity should not be an issue as I
am able to
>>>>>>>>> get the access token from  my app wildfly server
using curl. So keycloak is
>>>>>>>>> reachable from my wildfly server. Anything specific
you did to resolve your
>>>>>>>>> issue ?
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Rajesh
>>>>>>>>>
>>>>>>>>> On Tue, Jul 25, 2017 at 11:12 AM, Sebastien Blanc
<
>>>>>>>>> sblanc(a)redhat.com&gt; wrote:
>>>>>>>>>
>>>>>>>>>> This looks all correct. Could you try paste your
access token or
>>>>>>>>>> even check it your self on jwt.io to see if the
kid is present ?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh
<
>>>>>>>>>> ghosh.rajesh(a)gmail.com&gt; wrote:
>>>>>>>>>>
>>>>>>>>>>> Sebastien,
>>>>>>>>>>>
>>>>>>>>>>> I am attaching a pdf containing the screen
shots.  Few more
>>>>>>>>>>> points I wanted to mention.
>>>>>>>>>>>
>>>>>>>>>>> i)  I didn't install the public client 
-- "bkofc-web"  in the
>>>>>>>>>>> wildfly container which hosts my REST
services. I did it for  "bkofc-svc"
>>>>>>>>>>>  client which is bearer only. I hope that is
the correct approach.
>>>>>>>>>>> ii)  Both keycloak and my application are
running on docker
>>>>>>>>>>> containers locally in my laptop.
>>>>>>>>>>>
>>>>>>>>>>> Let me know if you need anything else to
analyze.
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Rajesh
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien
Blanc <
>>>>>>>>>>> sblanc(a)redhat.com&gt; wrote:
>>>>>>>>>>>
>>>>>>>>>>>> yes please
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh
Ghosh <
>>>>>>>>>>>> ghosh.rajesh(a)gmail.com&gt; wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Yes definitely. I did replace it with
the actual war name.
>>>>>>>>>>>>> Let me know if you would like me to
paste screen shots of realm
>>>>>>>>>>>>> configurations, client
configurations.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Mon, Jul 24, 2017 at 8:12 PM,
Sebastien Blanc <
>>>>>>>>>>>>> sblanc(a)redhat.com&gt; wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Ok and for :
>>>>>>>>>>>>>> <secure-deployment
name="my war file.war">
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Did you replace that with the
actual name of your war file ?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Mon, Jul 24, 2017 at 4:35 PM,
Rajesh Ghosh <
>>>>>>>>>>>>>> ghosh.rajesh(a)gmail.com&gt;
wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hello Sebastien,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I am using 3.1.0.Final
build.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Mon, Jul 24, 2017 at 7:56
PM, Sebastien Blanc <
>>>>>>>>>>>>>>> sblanc(a)redhat.com&gt; wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Which version of Keycloak
are you using ?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Mon, Jul 24, 2017 at
3:15 PM, Rajesh Ghosh <
>>>>>>>>>>>>>>>>
ghosh.rajesh(a)gmail.com&gt; wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I am trying to secure
my REST services using the method
>>>>>>>>>>>>>>>>> described in the
>>>>>>>>>>>>>>>>> document --
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
http://blog.keycloak.org/2015/
>>>>>>>>>>>>>>>>>
10/getting-started-with-keycloak-securing.html
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I am securing my war
using JBoss subsystem , instead of
>>>>>>>>>>>>>>>>> per-war option. The
>>>>>>>>>>>>>>>>> relevant sections
from my standalone.xml  are posted
>>>>>>>>>>>>>>>>> below.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>    
<extensions>
>>>>>>>>>>>>>>>>>          ......
>>>>>>>>>>>>>>>>>         <extension
module="org.keycloak.keycloak-
>>>>>>>>>>>>>>>>>
adapter-subsystem"/>
>>>>>>>>>>>>>>>>>    
</extensions>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>         
<security-domains>
>>>>>>>>>>>>>>>>>                
.....
>>>>>>>>>>>>>>>>>                
<security-domain name="keycloak">
>>>>>>>>>>>>>>>>>                    
<authentication>
>>>>>>>>>>>>>>>>>                      
  <login-module
>>>>>>>>>>>>>>>>>
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>>>>>>>>>>>>>
flag="required"/>
>>>>>>>>>>>>>>>>>                    
</authentication>
>>>>>>>>>>>>>>>>>                
</security-domain>
>>>>>>>>>>>>>>>>>            
</security-domains>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>         <subsystem
xmlns="urn:jboss:domain:keycloak:1.1">
>>>>>>>>>>>>>>>>>            
<secure-deployment name="my war file.war">
>>>>>>>>>>>>>>>>>                
<realm>bkofc</realm>
>>>>>>>>>>>>>>>>>                
<resource>bkofc-svc</resource>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
<use-resource-role-mappings>tr
>>>>>>>>>>>>>>>>>
ue</use-resource-role-mappings>
>>>>>>>>>>>>>>>>>                
<bearer-only>true</bearer-only>
>>>>>>>>>>>>>>>>>                
<auth-server-url>http://192.16
>>>>>>>>>>>>>>>>> 8.99.100/30001/auth
>>>>>>>>>>>>>>>>>
</auth-server-url>
>>>>>>>>>>>>>>>>>                
<ssl-required>none</ssl-required>
>>>>>>>>>>>>>>>>>                
<credential
>>>>>>>>>>>>>>>>>
name="secret">9bcc6d9f-9c72-4b
>>>>>>>>>>>>>>>>>
58-b297-79f0f207d9e1</credential>
>>>>>>>>>>>>>>>>>            
</secure-deployment>
>>>>>>>>>>>>>>>>>        
</subsystem>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I am able to obtain
the access token.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> curl -i  curl --data
>>>>>>>>>>>>>>>>>
"grant_type=password&client_id
>>>>>>>>>>>>>>>>>
=bkofc-web&username=user&password=password"
>>>>>>>>>>>>>>>>>
http://192.168.99.100:30001/au
>>>>>>>>>>>>>>>>>
th/realms/bkofc/protocol/openid-connect/token
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Note:- I have created
2 clients -- i)  bkofc-svc which is
>>>>>>>>>>>>>>>>> bearer only, for
>>>>>>>>>>>>>>>>> my REST services  ii)
bkofc-web , a public client to
>>>>>>>>>>>>>>>>> simulate UI login
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> However when I try to
use the access token to invoke a
>>>>>>>>>>>>>>>>> service, I am
>>>>>>>>>>>>>>>>> getting the error -
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Status: 401
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> WWW-Authenticate
Bearer realm="bkofc",
>>>>>>>>>>>>>>>>>
error="invalid_token",
>>>>>>>>>>>>>>>>>
error_description="Didn't find publicKey for specified
>>>>>>>>>>>>>>>>> kid"
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Please let me know if
I am missing something here. I have
>>>>>>>>>>>>>>>>> been breaking my
>>>>>>>>>>>>>>>>> head last few days
without any luck !  I have also tried
>>>>>>>>>>>>>>>>> rotating the realm
>>>>>>>>>>>>>>>>> keys.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>>>>>>>> keycloak-user mailing
list
>>>>>>>>>>>>>>>>>
keycloak-user(a)lists.jboss.org
>>>>>>>>>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Re: [keycloak-user] Hitting error -- "Didn't find publicKey for specified kid"