[keycloak-user] k_query_bearer_token, is there a way to query the associated public key?

Wed Feb 1 16:15:44 EST 2017

I was able to verify the token using the com.auth0 JWT library, so there must be something amiss with the web interface to the debugger. FYI, this is the little program I put together to do the verification:

import java.security.KeyFactory;
import java.security.interfaces.RSAKey;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.Claim;

public class VerifyJWT {
    public static void main(String[] args) throws Exception {
        String token = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJGeFZlX1pUTHBoU0JrMGZMSDBmaDltUWY1OWkzNnVXOFBDeFFvWkE4eHdvIn0.eyJqdGkiOiJlYzI2NDhhYS1jNTdmLTRhZGEtYTZlMi03ZjU4ZTBmOTIyZjQiLCJleHAiOjE0ODU5ODM2NDMsIm5iZiI6MCwiaWF0IjoxNDg1OTgzMzQzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvTWljcm9wcm9maWxlIiwiYXVkIjoidmFuaWxsYSIsInN1YiI6IjhjM2Y1ZTRiLWZiM2EtNDZiYS04ODk5LTQyNTNkNzQzMGI4ZiIsInR5cCI6IkJlYXJlciIsImF6cCI6InZhbmlsbGEiLCJhdXRoX3RpbWUiOjE0ODU5ODE4NDAsInNlc3Npb25fc3RhdGUiOiJkZDg5MjU4Yy1iMjRmLTQ0ZWUtYWJhZS00NWJmZjNhMTI4NmIiLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5ZDA2ZmY2NS1kMWIwLTQ2ZWYtYjJlYi05NmVmY2Y3ZjJjZGQiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MDgwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiTWljcm9wcm9maWxlIERlbW8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkZW1vIiwiZ2l2ZW5fbmFtZSI6Ik1pY3JvcHJvZmlsZSIsImZhbWlseV9uYW1lIjoiRGVtbyIsImVtYWlsIjoibXBkZW1vQHN0YXJraW50ZXJuYXRpb25hbC5jb20ifQ.YsoInnbkrPRyvauYsf5P5BePuPFFCyWBKz3TfP9FyeArp2bYyOzDusTEPCqhSx3-yYGsPxlVmsdu7LNonLs-rCXPki3uP3WAiSiyla4NXcBwly2kzM4EyO_J8CO9d4SqGEY8HDwTIga5E55KEOoYqOkGtj2pirIo8tlPa4SW2vwttvxix2zMOeyD50vZDAD3laVBzGsc07GMdFKvj4B0ZfUBM-l-92HB1xMWNNc1d-xbrLq8rKXyYeobU4bC4_WxHJOlOco-Z_60lD0z9vtmpaCpyOkq26V4Ygunhzd-36ofKdiYBjNURaB3SNc4l5OFZLCM12nkM_bb3_kO538Zyw";
        JWT jwt = JWT.decode(token);
        Claim alg = jwt.getHeaderClaim("alg");
        System.out.printf("alg: %s\n", alg.asString());
        Claim type = jwt.getHeaderClaim("typ");
        System.out.printf("typ: %s\n", type.asString());
        Claim kid = jwt.getHeaderClaim("kid");
        System.out.printf("kid: %s\n", kid.asString());

        String key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhir7PLNN6PafmxEN89tXD+vJGU+Io2QcnyAxw6MzGSYD1Rla3fzIVRBlhbq3rYd8SWcPPZ2i/SAyfnzt3d9KPef+Vp8v3GfuVn2NoutPsxJA/1do+vcW/lT5EDtbl9GQovMvFHE4JbgStdaRLD/4/w90zjbmEU4/J5beiqMAYioJQ5suE7P4N5OulZobPGI0hibQ9lWM03gWocCnP1RtXWfzliQ0F2LqrBJS6GckcRwln/q0sacgK1ZC/XLIty7w88bxV7PXKfgsqROId/1Fl6kJBl6AjdQkJtSQxo+UOW4AJvABg6qvcC0bg1JkzDY0OPEMAm+AhUvdYzxrklvCJwIDAQAB";
        byte[] byteKey = Base64.getDecoder().decode(key.getBytes());
        X509EncodedKeySpec X509publicKey = new X509EncodedKeySpec(byteKey);
        KeyFactory kf = KeyFactory.getInstance("RSA");

        RSAKey publicKey = (RSAKey) kf.generatePublic(X509publicKey);
        JWTVerifier verifier = JWT.require(Algorithm.RSA256(publicKey))
            .withIssuer("http://localhost:8180/auth/realms/Microprofile")
            .build();
        verifier.verify(token);
    }

}

----- Original Message -----
From: "Scott Stark" <sstark at redhat.com>
To: keycloak-user at lists.jboss.org
Sent: Wednesday, February 1, 2017 12:42:47 PM
Subject: Re: [keycloak-user] k_query_bearer_token, is there a way to query the associated public key?

I was able to find the public key from the Realm Settings/Keys section of the admin console, but I'm not able to get the signature to verify on the https://jwt.io debugger.

For example, this token and public key won't work to verify the signature:

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJGeFZlX1pUTHBoU0JrMGZMSDBmaDltUWY1OWkzNnVXOFBDeFFvWkE4eHdvIn0.eyJqdGkiOiIwYTJlNDljNy05ZTA1LTQ3MmUtOGQ5OS02ZGYwOGYxYmY5MzYiLCJleHAiOjE0ODU5ODAwMTMsIm5iZiI6MCwiaWF0IjoxNDg1OTc5NzEzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvTWljcm9wcm9maWxlIiwiYXVkIjoidmFuaWxsYSIsInN1YiI6IjhjM2Y1ZTRiLWZiM2EtNDZiYS04ODk5LTQyNTNkNzQzMGI4ZiIsInR5cCI6IkJlYXJlciIsImF6cCI6InZhbmlsbGEiLCJhdXRoX3RpbWUiOjE0ODU5NzY5ODgsInNlc3Npb25fc3RhdGUiOiJlYmQxMDgyZi02MWI3LTRlNzEtYTBkNi1iZTc1MzA3ODYzNjMiLCJhY3IiOiIwIiwiY2xpZW50X3Nlc3Npb24iOiI1NDhhZTVjNi1mZTU4LTQwZGQtOWY0Yy03NmE4N2EwMjcwYzciLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MDgwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiTWljcm9wcm9maWxlIERlbW8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkZW1vIiwiZ2l2ZW5fbmFtZSI6Ik1pY3JvcHJvZmlsZSIsImZhbWlseV9uYW1lIjoiRGVtbyIsImVtYWlsIjoib!
 XBkZW1vQHN0YXJraW50ZXJuYXRpb25hbC5jb20ifQ.TAgwCENsVF9bug3TbvjB-KD_kT3AfLDduK_vQ-1Gp5ejeDLRVcppktXpIWe1jhJTKmqXIwL48S636BYrP35iNmlJLGIxm706o-BU6SO8IJND_OJdfbCdkUrekcGTS8k5B2D_idQnnl-DcwKJs0Mqv8q_XD2XqCTAu1nTKsrTlFn6QoZ0_-Q_bRsmZ_Rgob5Gf4Vw93I5OnS5zRUV_qi-VEDTEtAO3YlfWdTJXYXYeSGVXTjExw6TikYlcQETolfr-sxhfcPEH5KWQnUw_40hb12Zzxp3DdnJuQ34NKe5vgPNW1Q3geT7YLGYcY1pJFmvLEKxDC5WxRNMp_PFYLYxTA

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhir7PLNN6PafmxEN89tXD+vJGU+Io2QcnyAxw6MzGSYD1Rla3fzIVRBlhbq3rYd8SWcPPZ2i/SAyfnzt3d9KPef+Vp8v3GfuVn2NoutPsxJA/1do+vcW/lT5EDtbl9GQovMvFHE4JbgStdaRLD/4/w90zjbmEU4/J5beiqMAYioJQ5suE7P4N5OulZobPGI0hibQ9lWM03gWocCnP1RtXWfzliQ0F2LqrBJS6GckcRwln/q0sacgK1ZC/XLIty7w88bxV7PXKfgsqROId/1Fl6kJBl6AjdQkJtSQxo+UOW4AJvABg6qvcC0bg1JkzDY0OPEMAm+AhUvdYzxrklvCJwIDAQAB

----- Original Message -----
From: "Scott Stark" <sstark at redhat.com>
To: keycloak-user at lists.jboss.org
Sent: Wednesday, February 1, 2017 11:50:34 AM
Subject: [keycloak-user] k_query_bearer_token, is there a way to query the associated public key?

So I can query the current access token via the myapp-root/k_query_bearer_token when expose-token is set to true, but is there a way to query the public key associated with the signature portion of the token?
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user