Re: [keycloak-user] Hitting error -- "Didn't find publicKey for specified kid"

Okay, to have the complete picture could paste the command you issue to call your REST service ? On Tue, Jul 25, 2017 at 3:50 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com&gt; wrote: > Sebastien, > > Here is a token response - > > { > "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO > iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe > XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY > mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia > WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M > zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd > WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e > XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI > nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM > jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M > C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb > nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY > 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI > nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI > jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb > mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb > G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld > y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb > SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI > m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY > 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb > 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ > XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud > GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WEcBA3NUL- > mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM6z > Lk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3 > f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIK > iYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmG > yMVofsxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw", > "expires_in": 300, > "refresh_expires_in": 1800, > "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO > iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe > XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLTQwY2ItY > TE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZiI6MCwia > WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M > zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd > WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e > XAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW1lIjowL > CJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MTktMDg5Y > TIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1Z > DQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiO > lsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc > 3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtI > iwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktc > HJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlY > XRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaXphdGlvb > iIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50c > yIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9ya > XphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzI > jpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2a > WV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKI > hIF6Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46- > EXGJQkqH4NNqZ1W_1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvai > ucFCa8H599Ox6QRE3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHR > dCv_rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqn > AdGgDnL5jCCRLTVFnPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sampLww", > "token_type": "bearer", > "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO > iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe > XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LTRhNTgtO > TJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia > WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M > zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd > WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e > XAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MCwic2Vzc > 2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OWEyMTM5N > mU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lI > joic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tI > n0.eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_XOXUmHAuih > xXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVB > n_kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6 > bG8cyJHQ4_FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYO > p4lJpU5JqeaVmYp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st- > Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg", > "not-before-policy": 0, > "session_state": "3231f46f-229b-42d3-a419-089a21396e67" > } > > > I checked it in jwt.io . The kid is same as the "rsa-generated" one, > shown in the screen shot I shared yesterday. Although jwt complained as > "Invalid Signature" . > > > Thomas, the connectivity should not be an issue as I am able to get the > access token from my app wildfly server using curl. So keycloak is > reachable from my wildfly server. Anything specific you did to resolve your > issue ? > > Regards, > Rajesh > > On Tue, Jul 25, 2017 at 11:12 AM, Sebastien Blanc <sblanc(a)redhat.com&gt; > wrote: > >> This looks all correct. Could you try paste your access token or even >> check it your self on jwt.io to see if the kid is present ? >> >> >> On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com&gt; >> wrote: >> >>> Sebastien, >>> >>> I am attaching a pdf containing the screen shots. Few more points I >>> wanted to mention. >>> >>> i) I didn't install the public client -- "bkofc-web" in the wildfly >>> container which hosts my REST services. I did it for "bkofc-svc" client >>> which is bearer only. I hope that is the correct approach. >>> ii) Both keycloak and my application are running on docker containers >>> locally in my laptop. >>> >>> Let me know if you need anything else to analyze. >>> >>> Thanks, >>> Rajesh >>> >>> >>> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien Blanc <sblanc(a)redhat.com&gt; >>> wrote: >>> >>>> yes please >>>> >>>> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com&gt; >>>> wrote: >>>> >>>>> Yes definitely. I did replace it with the actual war name. Let me >>>>> know if you would like me to paste screen shots of realm configurations, >>>>> client configurations. >>>>> >>>>> Thanks, >>>>> Rajesh >>>>> >>>>> On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc <sblanc(a)redhat.com&gt; >>>>> wrote: >>>>> >>>>>> Ok and for : >>>>>> <secure-deployment name="my war file.war"> >>>>>> >>>>>> Did you replace that with the actual name of your war file ? >>>>>> >>>>>> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh < >>>>>> ghosh.rajesh(a)gmail.com&gt; wrote: >>>>>> >>>>>>> Hello Sebastien, >>>>>>> >>>>>>> I am using 3.1.0.Final build. >>>>>>> >>>>>>> Thanks, >>>>>>> Rajesh >>>>>>> >>>>>>> On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc <sblanc(a)redhat.com >>>>>>> > wrote: >>>>>>> >>>>>>>> Which version of Keycloak are you using ? >>>>>>>> >>>>>>>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh < >>>>>>>> ghosh.rajesh(a)gmail.com&gt; wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I am trying to secure my REST services using the method described >>>>>>>>> in the >>>>>>>>> document -- >>>>>>>>> >>>>>>>>> >>>>>>>>> http://blog.keycloak.org/2015/10/getting-started-with-keyclo >>>>>>>>> ak-securing.html >>>>>>>>> >>>>>>>>> >>>>>>>>> I am securing my war using JBoss subsystem , instead of per-war >>>>>>>>> option. The >>>>>>>>> relevant sections from my standalone.xml are posted below. >>>>>>>>> >>>>>>>>> <extensions> >>>>>>>>> ...... >>>>>>>>> <extension module="org.keycloak.keycloak- >>>>>>>>> adapter-subsystem"/> >>>>>>>>> </extensions> >>>>>>>>> >>>>>>>>> <security-domains> >>>>>>>>> ..... >>>>>>>>> <security-domain name="keycloak"> >>>>>>>>> <authentication> >>>>>>>>> <login-module >>>>>>>>> code="org.keycloak.adapters.jboss.KeycloakLoginModule" >>>>>>>>> flag="required"/> >>>>>>>>> </authentication> >>>>>>>>> </security-domain> >>>>>>>>> </security-domains> >>>>>>>>> >>>>>>>>> <subsystem xmlns="urn:jboss:domain:keycloak:1.1"> >>>>>>>>> <secure-deployment name="my war file.war"> >>>>>>>>> <realm>bkofc</realm> >>>>>>>>> <resource>bkofc-svc</resource> >>>>>>>>> >>>>>>>>> <use-resource-role-mappings>true</use-resource-role-mappings> >>>>>>>>> <bearer-only>true</bearer-only> >>>>>>>>> <auth-server-url>http://192.168.99.100/30001/auth >>>>>>>>> </auth-server-url> >>>>>>>>> <ssl-required>none</ssl-required> >>>>>>>>> <credential >>>>>>>>> name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential> >>>>>>>>> </secure-deployment> >>>>>>>>> </subsystem> >>>>>>>>> >>>>>>>>> I am able to obtain the access token. >>>>>>>>> >>>>>>>>> curl -i curl --data >>>>>>>>> "grant_type=password&client_id=bkofc-web&username=user&passw >>>>>>>>> ord=password" >>>>>>>>> http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi >>>>>>>>> d-connect/token >>>>>>>>> >>>>>>>>> Note:- I have created 2 clients -- i) bkofc-svc which is bearer >>>>>>>>> only, for >>>>>>>>> my REST services ii) bkofc-web , a public client to simulate UI >>>>>>>>> login >>>>>>>>> >>>>>>>>> However when I try to use the access token to invoke a service, I >>>>>>>>> am >>>>>>>>> getting the error - >>>>>>>>> >>>>>>>>> Status: 401 >>>>>>>>> >>>>>>>>> WWW-Authenticate Bearer realm="bkofc", error="invalid_token", >>>>>>>>> error_description="Didn't find publicKey for specified kid" >>>>>>>>> >>>>>>>>> Please let me know if I am missing something here. I have been >>>>>>>>> breaking my >>>>>>>>> head last few days without any luck ! I have also tried rotating >>>>>>>>> the realm >>>>>>>>> keys. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Rajesh >>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-user mailing list >>>>>>>>> keycloak-user(a)lists.jboss.org >>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >