[keycloak-user] JWT signature verification failure

Bill Burke bburke at redhat.com
Wed Nov 12 18:56:10 EST 2014


FYI, fixed in master.  Will be in next release.

On 11/12/2014 5:40 AM, Richard Rattigan wrote:
> That clears that up. Thanks!
>
>
> On 11/11/14, 8:58 PM, "Bill Burke" <bburke at redhat.com> wrote:
>
>> In the meantime, you could use our impl until I fix it.
>>
>> On 11/11/2014 8:55 PM, Bill Burke wrote:
>>> Looking at jjwt, they do this algorithm:
>>>
>>> sign(base64enocdedheader + "." + bsase64encodedContent)
>>>
>>> We just sign the content.  Just verified that our impl is wrong.  I'll
>>> fix this for next release.
>>>
>>> On 11/11/2014 7:50 PM, Richard Rattigan wrote:
>>>> I¹m trying to verify keycloak jwt signatures in a Java/Groovy, but I¹m
>>>> not succeeding. I¹m new to crypto, so maybe I¹m doing something stupid.
>>>>
>>>> This is Groovy code. realmPublicKey is the publicKey string from the
>>>> realm REST response. I¹m using the jjwt library to parse the tokens,
>>>> but
>>>> I get the same result (signature verification failure) with the nimbus
>>>> library:
>>>>
>>>>        Security.addProvider(new BouncyCastleProvider())
>>>>        def publicKey = KeyFactory
>>>>                .getInstance("RSA", "BC")
>>>>                .generatePublic(new
>>>> X509EncodedKeySpec(realmPublicKey.decodeBase64()))
>>>>        def claims =
>>>> Jwts.parser().setSigningKey(publicKey).parse(accessToken)
>>>>
>>>> I get an exception during the parse:
>>>>
>>>> io.jsonwebtoken.SignatureException: JWT signature does not match
>>>> locally
>>>> computed signature. JWT validity cannot be asserted and should not be
>>>> trusted.
>>>>
>>>> Is anyone able to see what I¹m doing wrong here?
>>>>
>>>> *Richard Rattigan*
>>>>
>>>> Sonos | Sr. Software Engineer | Skype: Richard.RattiganSonos
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list