[keycloak-user] JWT signature verification failure
Bill Burke
bburke at redhat.com
Tue Nov 11 20:55:26 EST 2014
Looking at jjwt, they do this algorithm:
sign(base64enocdedheader + "." + bsase64encodedContent)
We just sign the content. Just verified that our impl is wrong. I'll
fix this for next release.
On 11/11/2014 7:50 PM, Richard Rattigan wrote:
> I’m trying to verify keycloak jwt signatures in a Java/Groovy, but I’m
> not succeeding. I’m new to crypto, so maybe I’m doing something stupid.
>
> This is Groovy code. realmPublicKey is the publicKey string from the
> realm REST response. I’m using the jjwt library to parse the tokens, but
> I get the same result (signature verification failure) with the nimbus
> library:
>
> Security.addProvider(new BouncyCastleProvider())
> def publicKey = KeyFactory
> .getInstance("RSA", "BC")
> .generatePublic(new
> X509EncodedKeySpec(realmPublicKey.decodeBase64()))
> def claims = Jwts.parser().setSigningKey(publicKey).parse(accessToken)
>
> I get an exception during the parse:
>
> io.jsonwebtoken.SignatureException: JWT signature does not match locally
> computed signature. JWT validity cannot be asserted and should not be
> trusted.
>
> Is anyone able to see what I’m doing wrong here?
>
> *Richard Rattigan*
>
> Sonos | Sr. Software Engineer | Skype: Richard.RattiganSonos
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list