[keycloak-user] Validating JWT tokens
Stian Thorgersen
sthorger at redhat.com
Thu May 19 01:01:27 EDT 2016
You can also use
https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/keycloak/RSATokenVerifier.java
On 11 May 2016 at 15:50, Josh Cain <josh.cain at redhat.com> wrote:
> I recently put together a quick test for this as well using jjwt:
> https://github.com/cainj13/jwtExamples/blob/master/src/test/java/jcain/example/TokenParseTest.java
>
> Pretty similar to the gist that Thomas mentioned above.
>
> Josh Cain | Software Applications Engineer
> *Identity and Access Management*
> *Red Hat*
> +1 843-737-1735
>
> On Wed, May 11, 2016 at 4:09 AM, Thomas Darimont <
> thomas.darimont at googlemail.com> wrote:
>
>> Hello,
>>
>> another example for (Parsing) & Validating a Keycloak JWT was posted on
>> the ML a few months ago:
>> http://lists.jboss.org/pipermail/keycloak-user/2016-March/005325.html
>>
>> In the example the token is only successfully parsed when the token is
>> valid.
>>
>> Cheers,
>> Thomas
>>
>> 2016-05-11 10:45 GMT+02:00 Gerard Laissard <glaissard at axway.com>:
>>
>>>
>>>
>>> My 2 cents:
>>>
>>> There is an openSSL example to verify a jwt:
>>>
>>> https://gist.github.com/rolandyoung/176dd310a6948e094be6
>>>
>>>
>>>
>>> By using jose4j
>>>
>>> // be sure you do not have any EOL at the end of the token
>>>
>>> String accesToken = …;
>>>
>>> accesToken = accesToken.replaceAll("\r\n", "");
>>>
>>> accesToken = accesToken.replaceAll("\n", "");
>>>
>>>
>>>
>>> JsonWebSignature jws = *new* JsonWebSignature();
>>>
>>> jws.setCompactSerialization(accesToken);
>>>
>>> jws.setKey(publicKey);
>>>
>>> boolean signatureVerified = jws.verifySignature();
>>>
>>> To get a PublicKey : if you put the content of the realm public you get
>>> from keycloak admin
>>>
>>> *public* PublicKey getPublicKey(String fileName) {
>>>
>>> File f = *new* File(fileName);
>>>
>>> *try* (FileInputStream fis = *new* FileInputStream(f);
>>>
>>> DataInputStream dis = *new* DataInputStream(fis);) {
>>>
>>> *byte*[] keyBytes = *new* *byte*[(*int*) f.length()];
>>>
>>> dis.readFully(keyBytes);
>>>
>>> dis.close();
>>>
>>> // convert to der format
>>>
>>> String pem = new String(keyBytes);
>>>
>>> pem = pem.replaceAll("-----BEGIN (.*)-----", "");
>>>
>>> pem = pem.replaceAll("-----END (.*)----", "");
>>>
>>> pem = pem.replaceAll("\r\n", "");
>>>
>>> pem = pem.replaceAll("\n", "");
>>>
>>> byte[] der = Base64.getDecoder().decode(pem); // java 8
>>>
>>> X509EncodedKeySpec spec = *new* X509EncodedKeySpec(der);
>>>
>>> KeyFactory kf = KeyFactory.*getInstance*(*RSA*);
>>>
>>> *return* kf.generatePublic(spec);
>>>
>>>
>>>
>>> } *catch* (IOException | InvalidKeySpecException |
>>> NoSuchAlgorithmException e) {
>>>
>>> *throw* *new* RuntimeException("Failed to load public
>>> key from file '" + fileName + "'", e);
>>>
>>> }
>>>
>>> }
>>>
>>>
>>>
>>> With Java 8, it is quite simple too
>>>
>>> String[] tokenParts = accessToken.split("\\.");
>>>
>>> // detect algo from tokenParts[0] or put "SHA256withRSA” (for “RS256”)
>>>
>>> String jwtSignAlgo = "SHA256withRSA";
>>>
>>> String jwtInputString = tokenParts[0] + “.” + tokenParts[1];
>>>
>>> String jwtDecodedSign = new
>>> String(Base64.getUrlDecoder().decode(tokenParts[2]);
>>>
>>> Signature verifier = Signature.getInstance(jwtSignAlgo);
>>>
>>> verifier.initVerify(publicKey);
>>>
>>> verifier.update(jwtInputString.getBytes("UTF-8"));
>>>
>>> boolean signatureVerified = verifier.verify(jwtDecodedSign);
>>>
>>>
>>>
>>>
>>>
>>> gerard
>>>
>>>
>>>
>>>
>>>
>>> *From:* keycloak-user-bounces at lists.jboss.org [mailto:
>>> keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Stian Thorgersen
>>> *Sent:* vendredi 6 mai 2016 07:33
>>> *To:* Aikeaguinea
>>> *Cc:* keycloak-user
>>> *Subject:* Re: [keycloak-user] Validating JWT tokens
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 4 May 2016 at 18:37, Aikeaguinea <aikeaguinea at xsmail.com> wrote:
>>>
>>> Figured it out, kinda. I have to use the Realm public key, and at least
>>> in jwt.io it has to begin with "-----BEGIN PUBLIC KEY-----" and end with
>>> "-----END PUBLIC KEY-----" -- these can't be omitted.
>>>
>>> If I try using the Realm certificate, it won't work, however, whether or
>>> not I use "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----".
>>>
>>> If I use the validator at http://kjur.github.io/jsjws/tool_jwt.html and
>>> select "default X509 Certificate (RSA z4) it tells me "Error: malformed
>>> X.509 certificate PEM (code:003)"
>>>
>>> I can use the Realm public key for validating the JWT, but shouldn't the
>>> certificate work as well?
>>>
>>>
>>>
>>> The certificate is only used by SAML, so no you can't verify the JWT
>>> with the certificate only the public key.
>>>
>>>
>>>
>>>
>>> On Wed, May 4, 2016, at 12:00 PM, Aikeaguinea wrote:
>>> > I have a client with a service account and credentials using Signed
>>> Jwt.
>>> > Authentication works fine. The service uses
>>> >
>>> org.keycloak.adapters.authentication.ClientCredentialsProviderUtils#setClientCredentials
>>> > to create the JWT token and set the headers, and I get back a JWT
>>> > containing an access token from Keycloak.
>>> >
>>> > However, when I use jwt.io to look at the access token, I can't
>>> validate
>>> > the signature. This is true whether I use the client Certificate (from
>>> > the client's Credentials tab), the Realm public key, or the Realm
>>> > Certificate. In addition, I have generated the client's public key from
>>> > the certificate using
>>> >
>>> > keytool -exportcert -alias x -keypass y -storepass z -rfc -keystore
>>> > client-keystore.jks | openssl x509 -inform pem -pubkey
>>> >
>>> > on the jks file supplied when I generated the client credentials, and
>>> > that doesn't work either.
>>> >
>>> > We've also been having trouble validating the signature
>>> programmatically
>>> > using Java.
>>> >
>>> > Any idea why I might be seeing this?
>>> >
>>> > --
>>> > http://www.fastmail.com - Or how I learned to stop worrying and
>>> > love email again
>>> >
>>>
>>>
>>> --
>>> Aikeaguinea
>>> aikeaguinea at xsmail.com
>>>
>>> --
>>> http://www.fastmail.com - Send your email first class
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160519/41a38889/attachment-0001.html
More information about the keycloak-user
mailing list