[keycloak-user] Validating JWT tokens

Aikeaguinea aikeaguinea at xsmail.com
Wed May 4 12:37:27 EDT 2016


Figured it out, kinda. I have to use the Realm public key, and at least
in jwt.io it has to begin with "-----BEGIN PUBLIC KEY-----" and end with
"-----END PUBLIC KEY-----" -- these can't be omitted.

If I try using the Realm certificate, it won't work, however, whether or
not I use "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----".

If I use the validator at http://kjur.github.io/jsjws/tool_jwt.html and
select "default X509 Certificate (RSA z4) it tells me "Error: malformed
X.509 certificate PEM (code:003)"

I can use the Realm public key for validating the JWT, but shouldn't the
certificate work as well?

On Wed, May 4, 2016, at 12:00 PM, Aikeaguinea wrote:
> I have a client with a service account and credentials using Signed Jwt.
> Authentication works fine. The service uses
> org.keycloak.adapters.authentication.ClientCredentialsProviderUtils#setClientCredentials
> to create the JWT token and set the headers, and I get back a JWT
> containing an access token from Keycloak.
> 
> However, when I use jwt.io to look at the access token, I can't validate
> the signature. This is true whether I use the client Certificate (from
> the client's Credentials tab), the Realm public key, or the Realm
> Certificate. In addition, I have generated the client's public key from
> the certificate using 
> 
> keytool -exportcert -alias x -keypass y -storepass z -rfc -keystore
> client-keystore.jks | openssl x509 -inform pem -pubkey
> 
> on the jks file supplied when I generated the client credentials, and
> that doesn't work either.
> 
> We've also been having trouble validating the signature programmatically
> using Java.
> 
> Any idea why I might be seeing this?
> 
> -- 
> http://www.fastmail.com - Or how I learned to stop worrying and
>                           love email again
> 


-- 
  Aikeaguinea
  aikeaguinea at xsmail.com

-- 
http://www.fastmail.com - Send your email first class



More information about the keycloak-user mailing list