Re: [keycloak-user] Validating JWT tokens

Hello, another example for (Parsing) & Validating a Keycloak JWT was posted on the ML a few months ago: http://lists.jboss.org/pipermail/keycloak-user/2016-March/005325.html In the example the token is only successfully parsed when the token is valid. Cheers, Thomas 2016-05-11 10:45 GMT+02:00 Gerard Laissard <glaissard(a)axway.com&gt;: > > > My 2 cents: > > There is an openSSL example to verify a jwt: > > https://gist.github.com/rolandyoung/176dd310a6948e094be6 > > > > By using jose4j > > // be sure you do not have any EOL at the end of the token > > String accesToken = …; > > accesToken = accesToken.replaceAll("\r\n", ""); > > accesToken = accesToken.replaceAll("\n", ""); > > > > JsonWebSignature jws = *new* JsonWebSignature(); > > jws.setCompactSerialization(accesToken); > > jws.setKey(publicKey); > > boolean signatureVerified = jws.verifySignature(); > > To get a PublicKey : if you put the content of the realm public you get > from keycloak admin > > *public* PublicKey getPublicKey(String fileName) { > > File f = *new* File(fileName); > > *try* (FileInputStream fis = *new* FileInputStream(f); > > DataInputStream dis = *new* DataInputStream(fis);) { > > *byte*[] keyBytes = *new* *byte*[(*int*) f.length()]; > > dis.readFully(keyBytes); > > dis.close(); > > // convert to der format > > String pem = new String(keyBytes); > > pem = pem.replaceAll("-----BEGIN (.*)-----", ""); > > pem = pem.replaceAll("-----END (.*)----", ""); > > pem = pem.replaceAll("\r\n", ""); > > pem = pem.replaceAll("\n", ""); > > byte[] der = Base64.getDecoder().decode(pem); // java 8 > > X509EncodedKeySpec spec = *new* X509EncodedKeySpec(der); > > KeyFactory kf = KeyFactory.*getInstance*(*RSA*); > > *return* kf.generatePublic(spec); > > > > } *catch* (IOException | InvalidKeySpecException | > NoSuchAlgorithmException e) { > > *throw* *new* RuntimeException("Failed to load public > key from file '" + fileName + "'", e); > > } > > } > > > > With Java 8, it is quite simple too > > String[] tokenParts = accessToken.split("\\."); > > // detect algo from tokenParts[0] or put "SHA256withRSA” (for “RS256”) > > String jwtSignAlgo = "SHA256withRSA"; > > String jwtInputString = tokenParts[0] + “.” + tokenParts[1]; > > String jwtDecodedSign = new > String(Base64.getUrlDecoder().decode(tokenParts[2]); > > Signature verifier = Signature.getInstance(jwtSignAlgo); > > verifier.initVerify(publicKey); > > verifier.update(jwtInputString.getBytes("UTF-8")); > > boolean signatureVerified = verifier.verify(jwtDecodedSign); > > > > > > gerard > > > > > > *From:* keycloak-user-bounces(a)lists.jboss.org [mailto: > keycloak-user-bounces(a)lists.jboss.org] *On Behalf Of *Stian Thorgersen > *Sent:* vendredi 6 mai 2016 07:33 > *To:* Aikeaguinea > *Cc:* keycloak-user > *Subject:* Re: [keycloak-user] Validating JWT tokens > > > > > > > > On 4 May 2016 at 18:37, Aikeaguinea <aikeaguinea(a)xsmail.com&gt; wrote: > > Figured it out, kinda. I have to use the Realm public key, and at least > in jwt.io it has to begin with "-----BEGIN PUBLIC KEY-----" and end with > "-----END PUBLIC KEY-----" -- these can't be omitted. > > If I try using the Realm certificate, it won't work, however, whether or > not I use "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----". > > If I use the validator at http://kjur.github.io/jsjws/tool_jwt.html and > select "default X509 Certificate (RSA z4) it tells me "Error: malformed > X.509 certificate PEM (code:003)" > > I can use the Realm public key for validating the JWT, but shouldn't the > certificate work as well? > > > > The certificate is only used by SAML, so no you can't verify the JWT with > the certificate only the public key. > > > > > On Wed, May 4, 2016, at 12:00 PM, Aikeaguinea wrote: > > I have a client with a service account and credentials using Signed Jwt. > > Authentication works fine. The service uses > > > org.keycloak.adapters.authentication.ClientCredentialsProviderUtils#setClientCredentials > > to create the JWT token and set the headers, and I get back a JWT > > containing an access token from Keycloak. > > > > However, when I use jwt.io to look at the access token, I can't > validate > > the signature. This is true whether I use the client Certificate (from > > the client's Credentials tab), the Realm public key, or the Realm > > Certificate. In addition, I have generated the client's public key from > > the certificate using > > > > keytool -exportcert -alias x -keypass y -storepass z -rfc -keystore > > client-keystore.jks | openssl x509 -inform pem -pubkey > > > > on the jks file supplied when I generated the client credentials, and > > that doesn't work either. > > > > We've also been having trouble validating the signature programmatically > > using Java. > > > > Any idea why I might be seeing this? > > > > -- > > http://www.fastmail.com - Or how I learned to stop worrying and > > love email again > > > > > -- > Aikeaguinea > aikeaguinea(a)xsmail.com > > -- > http://www.fastmail.com - Send your email first class > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user