6:50 p.m.
I'm trying to verify keycloak jwt signatures in a Java/Groovy, but I'm not
succeeding. I'm new to crypto, so maybe I'm doing something stupid.
This is Groovy code. realmPublicKey is the publicKey string from the realm REST response.
I'm using the jjwt library to parse the tokens, but I get the same result (signature
verification failure) with the nimbus library:
Security.addProvider(new BouncyCastleProvider())
def publicKey = KeyFactory
.getInstance("RSA", "BC")
.generatePublic(new X509EncodedKeySpec(realmPublicKey.decodeBase64()))
def claims = Jwts.parser().setSigningKey(publicKey).parse(accessToken)
I get an exception during the parse:
io.jsonwebtoken.SignatureException: JWT signature does not match locally computed
signature. JWT validity cannot be asserted and should not be trusted.
Is anyone able to see what I'm doing wrong here?
Richard Rattigan
Sonos | Sr. Software Engineer | Skype: Richard.RattiganSonos
7:55 p.m.
Looking at jjwt, they do this algorithm:
sign(base64enocdedheader + "." + bsase64encodedContent)
We just sign the content. Just verified that our impl is wrong. I'll
fix this for next release.
On 11/11/2014 7:50 PM, Richard Rattigan wrote:
I’m trying to verify keycloak jwt signatures in a Java/Groovy, but
I’m
not succeeding. I’m new to crypto, so maybe I’m doing something stupid.
This is Groovy code. realmPublicKey is the publicKey string from the
realm REST response. I’m using the jjwt library to parse the tokens, but
I get the same result (signature verification failure) with the nimbus
library:
Security.addProvider(new BouncyCastleProvider())
def publicKey = KeyFactory
.getInstance("RSA", "BC")
.generatePublic(new
X509EncodedKeySpec(realmPublicKey.decodeBase64()))
def claims = Jwts.parser().setSigningKey(publicKey).parse(accessToken)
I get an exception during the parse:
io.jsonwebtoken.SignatureException: JWT signature does not match locally
computed signature. JWT validity cannot be asserted and should not be
trusted.
Is anyone able to see what I’m doing wrong here?
*Richard Rattigan*
Sonos | Sr. Software Engineer | Skype: Richard.RattiganSonos
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
7:58 p.m.
In the meantime, you could use our impl until I fix it.
On 11/11/2014 8:55 PM, Bill Burke wrote:
Looking at jjwt, they do this algorithm:
sign(base64enocdedheader + "." + bsase64encodedContent)
We just sign the content. Just verified that our impl is wrong. I'll
fix this for next release.
On 11/11/2014 7:50 PM, Richard Rattigan wrote:
> I’m trying to verify keycloak jwt signatures in a Java/Groovy, but I’m
> not succeeding. I’m new to crypto, so maybe I’m doing something stupid.
>
> This is Groovy code. realmPublicKey is the publicKey string from the
> realm REST response. I’m using the jjwt library to parse the tokens, but
> I get the same result (signature verification failure) with the nimbus
> library:
>
> Security.addProvider(new BouncyCastleProvider())
> def publicKey = KeyFactory
> .getInstance("RSA", "BC")
> .generatePublic(new
> X509EncodedKeySpec(realmPublicKey.decodeBase64()))
> def claims = Jwts.parser().setSigningKey(publicKey).parse(accessToken)
>
> I get an exception during the parse:
>
> io.jsonwebtoken.SignatureException: JWT signature does not match locally
> computed signature. JWT validity cannot be asserted and should not be
> trusted.
>
> Is anyone able to see what I’m doing wrong here?
>
> *Richard Rattigan*
>
> Sonos | Sr. Software Engineer | Skype: Richard.RattiganSonos
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
4:40 a.m.
That clears that up. Thanks!
On 11/11/14, 8:58 PM, "Bill Burke" <bburke(a)redhat.com> wrote:
In the meantime, you could use our impl until I fix it.
On 11/11/2014 8:55 PM, Bill Burke wrote:
> Looking at jjwt, they do this algorithm:
>
> sign(base64enocdedheader + "." + bsase64encodedContent)
>
> We just sign the content. Just verified that our impl is wrong. I'll
> fix this for next release.
>
> On 11/11/2014 7:50 PM, Richard Rattigan wrote:
>> I¹m trying to verify keycloak jwt signatures in a Java/Groovy, but I¹m
>> not succeeding. I¹m new to crypto, so maybe I¹m doing something stupid.
>>
>> This is Groovy code. realmPublicKey is the publicKey string from the
>> realm REST response. I¹m using the jjwt library to parse the tokens,
>>but
>> I get the same result (signature verification failure) with the nimbus
>> library:
>>
>> Security.addProvider(new BouncyCastleProvider())
>> def publicKey = KeyFactory
>> .getInstance("RSA", "BC")
>> .generatePublic(new
>> X509EncodedKeySpec(realmPublicKey.decodeBase64()))
>> def claims =
>>Jwts.parser().setSigningKey(publicKey).parse(accessToken)
>>
>> I get an exception during the parse:
>>
>> io.jsonwebtoken.SignatureException: JWT signature does not match
>>locally
>> computed signature. JWT validity cannot be asserted and should not be
>> trusted.
>>
>> Is anyone able to see what I¹m doing wrong here?
>>
>> *Richard Rattigan*
>>
>> Sonos | Sr. Software Engineer | Skype: Richard.RattiganSonos
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:56 p.m.
FYI, fixed in master. Will be in next release.
On 11/12/2014 5:40 AM, Richard Rattigan wrote:
That clears that up. Thanks!
On 11/11/14, 8:58 PM, "Bill Burke" <bburke(a)redhat.com> wrote:
> In the meantime, you could use our impl until I fix it.
>
> On 11/11/2014 8:55 PM, Bill Burke wrote:
>> Looking at jjwt, they do this algorithm:
>>
>> sign(base64enocdedheader + "." + bsase64encodedContent)
>>
>> We just sign the content. Just verified that our impl is wrong. I'll
>> fix this for next release.
>>
>> On 11/11/2014 7:50 PM, Richard Rattigan wrote:
>>> I¹m trying to verify keycloak jwt signatures in a Java/Groovy, but I¹m
>>> not succeeding. I¹m new to crypto, so maybe I¹m doing something stupid.
>>>
>>> This is Groovy code. realmPublicKey is the publicKey string from the
>>> realm REST response. I¹m using the jjwt library to parse the tokens,
>>> but
>>> I get the same result (signature verification failure) with the nimbus
>>> library:
>>>
>>> Security.addProvider(new BouncyCastleProvider())
>>> def publicKey = KeyFactory
>>> .getInstance("RSA", "BC")
>>> .generatePublic(new
>>> X509EncodedKeySpec(realmPublicKey.decodeBase64()))
>>> def claims =
>>> Jwts.parser().setSigningKey(publicKey).parse(accessToken)
>>>
>>> I get an exception during the parse:
>>>
>>> io.jsonwebtoken.SignatureException: JWT signature does not match
>>> locally
>>> computed signature. JWT validity cannot be asserted and should not be
>>> trusted.
>>>
>>> Is anyone able to see what I¹m doing wrong here?
>>>
>>> *Richard Rattigan*
>>>
>>> Sonos | Sr. Software Engineer | Skype: Richard.RattiganSonos
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3698
days inactive
3698
days old
4 comments
2 participants
participants (2)
-
Bill Burke -
Richard Rattigan