[keycloak-user] Validating JWT tokens
Marek Posolda
mposolda at redhat.com
Thu May 5 05:32:38 EDT 2016
On 04/05/16 18:00, Aikeaguinea wrote:
> I have a client with a service account and credentials using Signed Jwt.
> Authentication works fine. The service uses
> org.keycloak.adapters.authentication.ClientCredentialsProviderUtils#setClientCredentials
> to create the JWT token and set the headers, and I get back a JWT
> containing an access token from Keycloak.
>
> However, when I use jwt.io to look at the access token, I can't validate
> the signature. This is true whether I use the client Certificate (from
> the client's Credentials tab), the Realm public key, or the Realm
> Certificate. In addition, I have generated the client's public key from
> the certificate using
>
> keytool -exportcert -alias x -keypass y -storepass z -rfc -keystore
> client-keystore.jks | openssl x509 -inform pem -pubkey
>
> on the jks file supplied when I generated the client credentials, and
> that doesn't work either.
>
> We've also been having trouble validating the signature programmatically
> using Java.
Signature can be verified in Java if you have realm public key. You can
use "RSATokenVerifier.verifyToken" . We have a serviceAccount example,
which is part of demo and where this is also used :
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/service-account/src/main/java/org/keycloak/example/ProductServiceAccountServlet.java#L166
Marek
>
> Any idea why I might be seeing this?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160505/6173e459/attachment.html
More information about the keycloak-user
mailing list