jwt.io is a bit odd, but it does work. To get it to work do the following:
* Select RS256 for the algorithm - they could detect this from the token,
but they don't
* In the "verify signature" box paste the realm public key pem in-between
the lines "-----BEGIN PUBLIC KEY-----" and "-----END PUBLIC KEY-----"
(you
need to keep the header/footer otherwise jwt.io doesn't decrypt the key
correctly)
* Paste the token
Now it should work.
On 1 February 2017 at 22:15, Scott Stark <sstark(a)redhat.com> wrote:
I was able to verify the token using the com.auth0 JWT library, so
there
must be something amiss with the web interface to the debugger. FYI, this
is the little program I put together to do the verification:
import java.security.KeyFactory;
import java.security.interfaces.RSAKey;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.Claim;
public class VerifyJWT {
public static void main(String[] args) throws Exception {
String token = "eyJhbGciOiJSUzI1NiIsInR5cCIgOi
AiSldUIiwia2lkIiA6ICJGeFZlX1pUTHBoU0JrMGZMSDBmaDltUWY1OWkzNn
VXOFBDeFFvWkE4eHdvIn0.eyJqdGkiOiJlYzI2NDhhYS1jNTdmLT
RhZGEtYTZlMi03ZjU4ZTBmOTIyZjQiLCJleHAiOjE0ODU5ODM2NDMsIm5iZi
I6MCwiaWF0IjoxNDg1OTgzMzQzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0Oj
gxODAvYXV0aC9yZWFsbXMvTWljcm9wcm9maWxlIiwiYXVkIjoidmFuaWxsYS
IsInN1YiI6IjhjM2Y1ZTRiLWZiM2EtNDZiYS04ODk5LTQyNTNkNzQzMGI4Zi
IsInR5cCI6IkJlYXJlciIsImF6cCI6InZhbmlsbGEiLCJhdXRoX3RpbWUiOj
E0ODU5ODE4NDAsInNlc3Npb25fc3RhdGUiOiJkZDg5MjU4Yy1iMjRmLTQ0ZW
UtYWJhZS00NWJmZjNhMTI4NmIiLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb2
4iOiI5ZDA2ZmY2NS1kMWIwLTQ2ZWYtYjJlYi05NmVmY2Y3ZjJjZGQiLCJhbG
xvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MDgwIl0sInJlYW
xtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicm
Vzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLW
FjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiTWljcm9wcm9maW
xlIERlbW8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkZW1vIiwiZ2l2ZW5fbm
FtZSI6Ik1pY3JvcHJvZmlsZSIsImZhbWlseV9uYW1lI!
joiRGVtbyIsImVtYWlsIjoibXBkZW1vQHN0YXJraW50ZXJuYXRpb25hbC5jb20ifQ.
YsoInnbkrPRyvauYsf5P5BePuPFFCyWBKz3TfP9FyeArp2bYyOzDusTEPCqh
Sx3-yYGsPxlVmsdu7LNonLs-rCXPki3uP3WAiSiyla4NXcBwly2kzM4EyO_
J8CO9d4SqGEY8HDwTIga5E55KEOoYqOkGtj2pirIo8tlPa4SW2vwttvxix2z
MOeyD50vZDAD3laVBzGsc07GMdFKvj4B0ZfUBM-l-92HB1xMWNNc1d-
xbrLq8rKXyYeobU4bC4_WxHJOlOco-Z_60lD0z9vtmpaCpyOkq26V4Ygunhzd-
36ofKdiYBjNURaB3SNc4l5OFZLCM12nkM_bb3_kO538Zyw";
JWT jwt = JWT.decode(token);
Claim alg = jwt.getHeaderClaim("alg");
System.out.printf("alg: %s\n", alg.asString());
Claim type = jwt.getHeaderClaim("typ");
System.out.printf("typ: %s\n", type.asString());
Claim kid = jwt.getHeaderClaim("kid");
System.out.printf("kid: %s\n", kid.asString());
String key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ
8AMIIBCgKCAQEAhir7PLNN6PafmxEN89tXD+vJGU+Io2QcnyAxw6MzGSYD1Rla3fzIVRBlh
bq3rYd8SWcPPZ2i/SAyfnzt3d9KPef+Vp8v3GfuVn2NoutPsxJA/1do+vcW/
lT5EDtbl9GQovMvFHE4JbgStdaRLD/4/w90zjbmEU4/J5beiqMAYioJQ5suE7P4N5OulZobPG
I0hibQ9lWM03gWocCnP1RtXWfzliQ0F2LqrBJS6GckcRwln/q0sacgK1ZC/
XLIty7w88bxV7PXKfgsqROId/1Fl6kJBl6AjdQkJtSQxo+
UOW4AJvABg6qvcC0bg1JkzDY0OPEMAm+AhUvdYzxrklvCJwIDAQAB";
byte[] byteKey = Base64.getDecoder().decode(key.getBytes());
X509EncodedKeySpec X509publicKey = new X509EncodedKeySpec(byteKey);
KeyFactory kf = KeyFactory.getInstance("RSA");
RSAKey publicKey = (RSAKey) kf.generatePublic(X509publicKey);
JWTVerifier verifier = JWT.require(Algorithm.RSA256(publicKey))
.withIssuer("http://localhost:8180/auth/realms/Microprofile")
.build();
verifier.verify(token);
}
}
----- Original Message -----
From: "Scott Stark" <sstark(a)redhat.com>
To: keycloak-user(a)lists.jboss.org
Sent: Wednesday, February 1, 2017 12:42:47 PM
Subject: Re: [keycloak-user] k_query_bearer_token, is there a way to query
the associated public key?
I was able to find the public key from the Realm Settings/Keys section of
the admin console, but I'm not able to get the signature to verify on the
https://jwt.io debugger.
For example, this token and public key won't work to verify the signature:
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJGeFZlX1pU
THBoU0JrMGZMSDBmaDltUWY1OWkzNnVXOFBDeFFvWkE4eHdvIn0.
eyJqdGkiOiIwYTJlNDljNy05ZTA1LTQ3MmUtOGQ5OS02ZGYwOGYxYmY5MzYi
LCJleHAiOjE0ODU5ODAwMTMsIm5iZiI6MCwiaWF0IjoxNDg1OTc5NzEzLCJp
c3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvTWljcm9w
cm9maWxlIiwiYXVkIjoidmFuaWxsYSIsInN1YiI6IjhjM2Y1ZTRiLWZiM2Et
NDZiYS04ODk5LTQyNTNkNzQzMGI4ZiIsInR5cCI6IkJlYXJlciIsImF6cCI6
InZhbmlsbGEiLCJhdXRoX3RpbWUiOjE0ODU5NzY5ODgsInNlc3Npb25fc3Rh
dGUiOiJlYmQxMDgyZi02MWI3LTRlNzEtYTBkNi1iZTc1MzA3ODYzNjMiLCJh
Y3IiOiIwIiwiY2xpZW50X3Nlc3Npb24iOiI1NDhhZTVjNi1mZTU4LTQwZGQt
OWY0Yy03NmE4N2EwMjcwYzciLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDov
L2xvY2FsaG9zdDo4MDgwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1
bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291
bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUi
XX19LCJuYW1lIjoiTWljcm9wcm9maWxlIERlbW8iLCJwcmVmZXJyZWRfdXNl
cm5hbWUiOiJkZW1vIiwiZ2l2ZW5fbmFtZSI6Ik1pY3JvcHJvZmlsZSIsImZh
bWlseV9uYW1lIjoiRGVtbyIsImVtYWlsIjoib!
XBkZW1vQHN0YXJraW50ZXJuYXRpb25hbC5jb20ifQ.TAgwCENsVF9bug3TbvjB-KD_
kT3AfLDduK_vQ-1Gp5ejeDLRVcppktXpIWe1jhJTKmqXIwL48S636BYrP35iNmlJLGIxm706o-
BU6SO8IJND_OJdfbCdkUrekcGTS8k5B2D_idQnnl-DcwKJs0Mqv8q_
XD2XqCTAu1nTKsrTlFn6QoZ0_-Q_bRsmZ_Rgob5Gf4Vw93I5OnS5zRUV_qi-
VEDTEtAO3YlfWdTJXYXYeSGVXTjExw6TikYlcQETolfr-sxhfcPEH5KWQnUw_
40hb12Zzxp3DdnJuQ34NKe5vgPNW1Q3geT7YLGYcY1pJFmvLEKxDC5WxRNMp_PFYLYxTA
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhir7PLNN6PafmxEN89tXD+vJGU+
Io2QcnyAxw6MzGSYD1Rla3fzIVRBlhbq3rYd8SWcPPZ2i/SAyfnzt3d9KPef+
Vp8v3GfuVn2NoutPsxJA/1do+vcW/lT5EDtbl9GQovMvFHE4JbgStdaRLD/4/w90zjbmEU4/
J5beiqMAYioJQ5suE7P4N5OulZobPGI0hibQ9lWM03gWocCnP1RtXWfzliQ0
F2LqrBJS6GckcRwln/q0sacgK1ZC/XLIty7w88bxV7PXKfgsqROId/
1Fl6kJBl6AjdQkJtSQxo+UOW4AJvABg6qvcC0bg1JkzDY0OPEMAm+AhUvdYzxrklvCJwIDAQAB
----- Original Message -----
From: "Scott Stark" <sstark(a)redhat.com>
To: keycloak-user(a)lists.jboss.org
Sent: Wednesday, February 1, 2017 11:50:34 AM
Subject: [keycloak-user] k_query_bearer_token, is there a way to query the
associated public key?
So I can query the current access token via the myapp-root/k_query_bearer_token
when expose-token is set to true, but is there a way to query the public
key associated with the signature portion of the token?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user