[keycloak-user] JWT signature verification failure

Richard Rattigan Richard.Rattigan at sonos.com
Tue Nov 11 19:50:40 EST 2014

I'm trying to verify keycloak jwt signatures in a Java/Groovy, but I'm not succeeding. I'm new to crypto, so maybe I'm doing something stupid.

This is Groovy code. realmPublicKey is the publicKey string from the realm REST response. I'm using the jjwt library to parse the tokens, but I get the same result (signature verification failure) with the nimbus library:

    Security.addProvider(new BouncyCastleProvider())
    def publicKey = KeyFactory
            .getInstance("RSA", "BC")
            .generatePublic(new X509EncodedKeySpec(realmPublicKey.decodeBase64()))
    def claims = Jwts.parser().setSigningKey(publicKey).parse(accessToken)

I get an exception during the parse:

io.jsonwebtoken.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.

Is anyone able to see what I'm doing wrong here?

Richard Rattigan
Sonos | Sr. Software Engineer | Skype: Richard.RattiganSonos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141112/a9b07a34/attachment.html 

More information about the keycloak-user mailing list