[keycloak-user] Hitting error -- "Didn't find publicKey for specified kid"
Rajesh Ghosh
ghosh.rajesh at gmail.com
Tue Jul 25 10:06:33 EDT 2017
Here is the response from curl ---
$ curl -v
http://192.168.99.100:8080/OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/us
erservice/users -H "Authorization: Bearer $KEY"
* Trying 192.168.99.100...
* Connected to 192.168.99.100 (192.168.99.100) port 8080 (#0)
> GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users HTTP/1.1
> Host: 192.168.99.100:8080
> User-Agent: curl/7.50.1
> Accept: */*
> Authorization: Bearer
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSSEV
TaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeXVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1
hNjAwLTQ4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwiaWF0Ijo
xNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzAwMDEvYXV0aC9yZWFsbXMvYmt
vZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1Zjg
zYjVjOTgiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsInNlc3N
pb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhMjEzOTZlNjciLCJhY3IiOiIxIiw
iY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGx
vd2VkLW9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY2VzcyI
6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sInJlc291cmNlX2FjY2VzcyI6eyJ
yZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3Z
pZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhbG0tYWR
taW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy1hdXRob3JpemF0aW9uIiwibWF
uYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXc
tY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY291bnQ
iOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJ
vZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWw
iOiJ0cmlsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WEcBA3NU
L-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM6zLk7cy0UKig5ghHX1-g
Xb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82
NhJrjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVofsxH_uR
rEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>
< HTTP/1.1 401 Unauthorized
< Expires: 0
< Cache-Control: no-cache, no-store, must-revalidate
< X-Powered-By: Undertow/1
< Server: WildFly/10
< Pragma: no-cache
< Date: Tue, 25 Jul 2017 14:04:31 GMT
< Connection: keep-alive
< WWW-Authenticate: Bearer realm="bkofc", error="invalid_token",
error_description="Didn't find publicKey for specified kid"
< Content-Type: text/html;charset=UTF-8
< Content-Length: 71
<
* Connection #0 to host 192.168.99.100 left intact
<html><head><title>Error</title></head><body>Unauthorized</body></html>$
$
Thanks,
Rajesh
On Tue, Jul 25, 2017 at 7:30 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com>
wrote:
> Sure. I was using postman to invoke the service. This is the command used
> by postman --
>
> ------------------------------------------------------------------------
>
> GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users HTTP/1.1
> Host: 192.168.99.100:8080
> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
> AiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeX
> VUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLT
> Q4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZi
> I6MCwiaWF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS
> 4xMDA6MzAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZW
> IiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOT
> giLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbW
> UiOjAsInNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS
> 0wODlhMjEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5Mj
> FjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW
> 9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYW
> xtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZX
> IiXX0sInJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7In
> JvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycy
> IsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIi
> wicmVhbG0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIi
> widmlldy1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS
> 1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW
> 50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX
> 0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2
> UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLC
> JwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cm
> lsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WEcBA3NUL
> -mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM6zLk7
> cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_
> Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzUg9JY2Dkvg_
> tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVofsxH_
> uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
> Cache-Control: no-cache
> Postman-Token: d378eefe-82c8-9c3d-0140-ef56c62f9b97
>
>
> ------------------------------------------------------------
> ---------------
>
> The "userservice" is my own service for other attributes of users. I also
> made sure that the service executes without the security.
>
> Thanks,
> Rajesh
>
>
> On Tue, Jul 25, 2017 at 7:24 PM, Sebastien Blanc <sblanc at redhat.com>
> wrote:
>
>> Okay, to have the complete picture could paste the command you issue to
>> call your REST service ?
>>
>>
>> On Tue, Jul 25, 2017 at 3:50 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com>
>> wrote:
>>
>>> Sebastien,
>>>
>>> Here is a token response -
>>>
>>> {
>>> "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM6zLk7
>>> cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8b
>>> qyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzUg9JY2Dkvg
>>> _tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVofsxH_
>>> uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw",
>>> "expires_in": 300,
>>> "refresh_expires_in": 1800,
>>> "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLTQwY2ItY
>>> TE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZiI6MCwia
>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>> XAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW1lIjowL
>>> CJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MTktMDg5Y
>>> TIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1Z
>>> DQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiO
>>> lsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc
>>> 3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtI
>>> iwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktc
>>> HJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlY
>>> XRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaXphdGlvb
>>> iIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50c
>>> yIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9ya
>>> XphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzI
>>> jpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2a
>>> WV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKI
>>> hIF6Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46-
>>> EXGJQkqH4NNqZ1W_1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvai
>>> ucFCa8H599Ox6QRE3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHRdCv
>>> _rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqnAdG
>>> gDnL5jCCRLTVFnPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sampLww",
>>> "token_type": "bearer",
>>> "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LTRhNTgtO
>>> TJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>> XAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MCwic2Vzc
>>> 2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OWEyMTM5N
>>> mU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lI
>>> joic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tI
>>> n0.eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_XOXUmHAuih
>>> xXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVB
>>> n_kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6
>>> bG8cyJHQ4_FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYO
>>> p4lJpU5JqeaVmYp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st-
>>> Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg",
>>> "not-before-policy": 0,
>>> "session_state": "3231f46f-229b-42d3-a419-089a21396e67"
>>> }
>>>
>>>
>>> I checked it in jwt.io . The kid is same as the "rsa-generated" one,
>>> shown in the screen shot I shared yesterday. Although jwt complained as
>>> "Invalid Signature" .
>>>
>>>
>>> Thomas, the connectivity should not be an issue as I am able to get the
>>> access token from my app wildfly server using curl. So keycloak is
>>> reachable from my wildfly server. Anything specific you did to resolve your
>>> issue ?
>>>
>>> Regards,
>>> Rajesh
>>>
>>> On Tue, Jul 25, 2017 at 11:12 AM, Sebastien Blanc <sblanc at redhat.com>
>>> wrote:
>>>
>>>> This looks all correct. Could you try paste your access token or even
>>>> check it your self on jwt.io to see if the kid is present ?
>>>>
>>>>
>>>> On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com>
>>>> wrote:
>>>>
>>>>> Sebastien,
>>>>>
>>>>> I am attaching a pdf containing the screen shots. Few more points I
>>>>> wanted to mention.
>>>>>
>>>>> i) I didn't install the public client -- "bkofc-web" in the wildfly
>>>>> container which hosts my REST services. I did it for "bkofc-svc" client
>>>>> which is bearer only. I hope that is the correct approach.
>>>>> ii) Both keycloak and my application are running on docker containers
>>>>> locally in my laptop.
>>>>>
>>>>> Let me know if you need anything else to analyze.
>>>>>
>>>>> Thanks,
>>>>> Rajesh
>>>>>
>>>>>
>>>>> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien Blanc <sblanc at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> yes please
>>>>>>
>>>>>> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com
>>>>>> > wrote:
>>>>>>
>>>>>>> Yes definitely. I did replace it with the actual war name. Let me
>>>>>>> know if you would like me to paste screen shots of realm configurations,
>>>>>>> client configurations.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Rajesh
>>>>>>>
>>>>>>> On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc <sblanc at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Ok and for :
>>>>>>>> <secure-deployment name="my war file.war">
>>>>>>>>
>>>>>>>> Did you replace that with the actual name of your war file ?
>>>>>>>>
>>>>>>>> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh <
>>>>>>>> ghosh.rajesh at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hello Sebastien,
>>>>>>>>>
>>>>>>>>> I am using 3.1.0.Final build.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Rajesh
>>>>>>>>>
>>>>>>>>> On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc <
>>>>>>>>> sblanc at redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> Which version of Keycloak are you using ?
>>>>>>>>>>
>>>>>>>>>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh <
>>>>>>>>>> ghosh.rajesh at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I am trying to secure my REST services using the method
>>>>>>>>>>> described in the
>>>>>>>>>>> document --
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>>>>>>>>>> ak-securing.html
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I am securing my war using JBoss subsystem , instead of per-war
>>>>>>>>>>> option. The
>>>>>>>>>>> relevant sections from my standalone.xml are posted below.
>>>>>>>>>>>
>>>>>>>>>>> <extensions>
>>>>>>>>>>> ......
>>>>>>>>>>> <extension module="org.keycloak.keycloak-
>>>>>>>>>>> adapter-subsystem"/>
>>>>>>>>>>> </extensions>
>>>>>>>>>>>
>>>>>>>>>>> <security-domains>
>>>>>>>>>>> .....
>>>>>>>>>>> <security-domain name="keycloak">
>>>>>>>>>>> <authentication>
>>>>>>>>>>> <login-module
>>>>>>>>>>> code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>>>>>>> flag="required"/>
>>>>>>>>>>> </authentication>
>>>>>>>>>>> </security-domain>
>>>>>>>>>>> </security-domains>
>>>>>>>>>>>
>>>>>>>>>>> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>>>>>>>>>>> <secure-deployment name="my war file.war">
>>>>>>>>>>> <realm>bkofc</realm>
>>>>>>>>>>> <resource>bkofc-svc</resource>
>>>>>>>>>>>
>>>>>>>>>>> <use-resource-role-mappings>true</use-resource-role-mappings>
>>>>>>>>>>> <bearer-only>true</bearer-only>
>>>>>>>>>>> <auth-server-url>http://192.16
>>>>>>>>>>> 8.99.100/30001/auth
>>>>>>>>>>> </auth-server-url>
>>>>>>>>>>> <ssl-required>none</ssl-required>
>>>>>>>>>>> <credential
>>>>>>>>>>> name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential>
>>>>>>>>>>> </secure-deployment>
>>>>>>>>>>> </subsystem>
>>>>>>>>>>>
>>>>>>>>>>> I am able to obtain the access token.
>>>>>>>>>>>
>>>>>>>>>>> curl -i curl --data
>>>>>>>>>>> "grant_type=password&client_id=bkofc-web&username=user&passw
>>>>>>>>>>> ord=password"
>>>>>>>>>>> http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>>>>>>>>>>> d-connect/token
>>>>>>>>>>>
>>>>>>>>>>> Note:- I have created 2 clients -- i) bkofc-svc which is bearer
>>>>>>>>>>> only, for
>>>>>>>>>>> my REST services ii) bkofc-web , a public client to simulate UI
>>>>>>>>>>> login
>>>>>>>>>>>
>>>>>>>>>>> However when I try to use the access token to invoke a service,
>>>>>>>>>>> I am
>>>>>>>>>>> getting the error -
>>>>>>>>>>>
>>>>>>>>>>> Status: 401
>>>>>>>>>>>
>>>>>>>>>>> WWW-Authenticate Bearer realm="bkofc", error="invalid_token",
>>>>>>>>>>> error_description="Didn't find publicKey for specified kid"
>>>>>>>>>>>
>>>>>>>>>>> Please let me know if I am missing something here. I have been
>>>>>>>>>>> breaking my
>>>>>>>>>>> head last few days without any luck ! I have also tried
>>>>>>>>>>> rotating the realm
>>>>>>>>>>> keys.
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Rajesh
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
More information about the keycloak-user
mailing list