[keycloak-user] Validating JWT tokens

Jason Axley jaxley at expedia.com
Fri May 20 13:10:02 EDT 2016 

+1 for not trusting the algorithm in the JWT header to avoid these attacks:  https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/

Should do more than just signature validation though to be secure:


·         Expiration check

·         Audience check

·         Subject check

This is a pretty good overview of the mechanics:  http://www.cloudidentity.com/blog/2014/03/03/principles-of-token-validation/

-Jason

From: <keycloak-user-bounces at lists.jboss.org> on behalf of Stian Thorgersen <sthorger at redhat.com>
Reply-To: "stian at redhat.com" <stian at redhat.com>
Date: Wednesday, May 18, 2016 at 10:01 PM
To: Josh Cain <josh.cain at redhat.com>
Cc: Aikeaguinea <aikeaguinea at xsmail.com>, "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Validating JWT tokens

You can also use https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/keycloak/RSATokenVerifier.java

On 11 May 2016 at 15:50, Josh Cain <josh.cain at redhat.com<mailto:josh.cain at redhat.com>> wrote:
I recently put together a quick test for this as well using jjwt: https://github.com/cainj13/jwtExamples/blob/master/src/test/java/jcain/example/TokenParseTest.java
Pretty similar to the gist that Thomas mentioned above.

Josh Cain | Software Applications Engineer
Identity and Access Management
Red Hat
+1 843-737-1735<tel:%2B1%20843-737-1735>

On Wed, May 11, 2016 at 4:09 AM, Thomas Darimont <thomas.darimont at googlemail.com<mailto:thomas.darimont at googlemail.com>> wrote:
Hello,

another example for (Parsing) & Validating a Keycloak JWT was posted on the ML a few months ago:
http://lists.jboss.org/pipermail/keycloak-user/2016-March/005325.html

In the example the token is only successfully parsed when the token is valid.

Cheers,
Thomas

2016-05-11 10:45 GMT+02:00 Gerard Laissard <glaissard at axway.com<mailto:glaissard at axway.com>>:

My 2 cents:
There is an openSSL example to verify a jwt:
https://gist.github.com/rolandyoung/176dd310a6948e094be6

By using jose4j
        // be sure you do not have any EOL at the end of the token
String accesToken = …;
accesToken = accesToken.replaceAll("\r\n", "");
accesToken = accesToken.replaceAll("\n", "");

JsonWebSignature jws = new JsonWebSignature();
jws.setCompactSerialization(accesToken);
jws.setKey(publicKey);
boolean signatureVerified = jws.verifySignature();
To get a PublicKey : if you put the content of the realm public you get from keycloak admin
         public PublicKey getPublicKey(String fileName) {
File f = new File(fileName);
try (FileInputStream fis = new FileInputStream(f);
DataInputStream dis = new DataInputStream(fis);) {
               byte[] keyBytes = new byte[(int) f.length()];
               dis.readFully(keyBytes);
               dis.close();
               // convert to der format
               String pem = new String(keyBytes);
               pem = pem.replaceAll("-----BEGIN (.*)-----", "");
               pem = pem.replaceAll("-----END (.*)----", "");
               pem = pem.replaceAll("\r\n", "");
               pem = pem.replaceAll("\n", "");
                byte[] der = Base64.getDecoder().decode(pem); // java 8
               X509EncodedKeySpec spec = new X509EncodedKeySpec(der);
               KeyFactory kf = KeyFactory.getInstance(RSA);
               return kf.generatePublic(spec);

        } catch (IOException | InvalidKeySpecException | NoSuchAlgorithmException e) {
                throw new RuntimeException("Failed to load public key from file '" + fileName + "'", e);
        }
        }

With Java 8, it is quite simple too
               String[]  tokenParts  = accessToken.split("\\.");
// detect algo from tokenParts[0] or put "SHA256withRSA” (for “RS256”)
                    String jwtSignAlgo = "SHA256withRSA";
         String jwtInputString = tokenParts[0] + “.” + tokenParts[1];
         String jwtDecodedSign = new String(Base64.getUrlDecoder().decode(tokenParts[2]);
         Signature verifier = Signature.getInstance(jwtSignAlgo);
         verifier.initVerify(publicKey);
         verifier.update(jwtInputString.getBytes("UTF-8"));
         boolean signatureVerified = verifier.verify(jwtDecodedSign);


gerard


From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [mailto:keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>] On Behalf Of Stian Thorgersen
Sent: vendredi 6 mai 2016 07:33
To: Aikeaguinea
Cc: keycloak-user
Subject: Re: [keycloak-user] Validating JWT tokens



On 4 May 2016 at 18:37, Aikeaguinea <aikeaguinea at xsmail.com<mailto:aikeaguinea at xsmail.com>> wrote:
Figured it out, kinda. I have to use the Realm public key, and at least
in jwt.io<http://jwt.io> it has to begin with "-----BEGIN PUBLIC KEY-----" and end with
"-----END PUBLIC KEY-----" -- these can't be omitted.

If I try using the Realm certificate, it won't work, however, whether or
not I use "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----".

If I use the validator at http://kjur.github.io/jsjws/tool_jwt.html and
select "default X509 Certificate (RSA z4) it tells me "Error: malformed
X.509 certificate PEM (code:003)"

I can use the Realm public key for validating the JWT, but shouldn't the
certificate work as well?

The certificate is only used by SAML, so no you can't verify the JWT with the certificate only the public key.


On Wed, May 4, 2016, at 12:00 PM, Aikeaguinea wrote:
> I have a client with a service account and credentials using Signed Jwt.
> Authentication works fine. The service uses
> org.keycloak.adapters.authentication.ClientCredentialsProviderUtils#setClientCredentials
> to create the JWT token and set the headers, and I get back a JWT
> containing an access token from Keycloak.
>
> However, when I use jwt.io<http://jwt.io> to look at the access token, I can't validate
> the signature. This is true whether I use the client Certificate (from
> the client's Credentials tab), the Realm public key, or the Realm
> Certificate. In addition, I have generated the client's public key from
> the certificate using
>
> keytool -exportcert -alias x -keypass y -storepass z -rfc -keystore
> client-keystore.jks | openssl x509 -inform pem -pubkey
>
> on the jks file supplied when I generated the client credentials, and
> that doesn't work either.
>
> We've also been having trouble validating the signature programmatically
> using Java.
>
> Any idea why I might be seeing this?
>
> --
> http://www.fastmail.com - Or how I learned to stop worrying and
>                           love email again
>


--
  Aikeaguinea
  aikeaguinea at xsmail.com<mailto:aikeaguinea at xsmail.com>

--
http://www.fastmail.com - Send your email first class

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160520/4ce56967/attachment-0001.html

More information about the keycloak-user mailing list