[keycloak-user] JWT signature verification failure
Bill Burke
bburke at redhat.com
Tue Nov 11 20:58:47 EST 2014
In the meantime, you could use our impl until I fix it.
On 11/11/2014 8:55 PM, Bill Burke wrote:
> Looking at jjwt, they do this algorithm:
>
> sign(base64enocdedheader + "." + bsase64encodedContent)
>
> We just sign the content. Just verified that our impl is wrong. I'll
> fix this for next release.
>
> On 11/11/2014 7:50 PM, Richard Rattigan wrote:
>> I’m trying to verify keycloak jwt signatures in a Java/Groovy, but I’m
>> not succeeding. I’m new to crypto, so maybe I’m doing something stupid.
>>
>> This is Groovy code. realmPublicKey is the publicKey string from the
>> realm REST response. I’m using the jjwt library to parse the tokens, but
>> I get the same result (signature verification failure) with the nimbus
>> library:
>>
>> Security.addProvider(new BouncyCastleProvider())
>> def publicKey = KeyFactory
>> .getInstance("RSA", "BC")
>> .generatePublic(new
>> X509EncodedKeySpec(realmPublicKey.decodeBase64()))
>> def claims = Jwts.parser().setSigningKey(publicKey).parse(accessToken)
>>
>> I get an exception during the parse:
>>
>> io.jsonwebtoken.SignatureException: JWT signature does not match locally
>> computed signature. JWT validity cannot be asserted and should not be
>> trusted.
>>
>> Is anyone able to see what I’m doing wrong here?
>>
>> *Richard Rattigan*
>>
>> Sonos | Sr. Software Engineer | Skype: Richard.RattiganSonos
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list