[keycloak-user] Hitting error -- "Didn't find publicKey for specified kid"

Sebastien Blanc sblanc at redhat.com
Tue Jul 25 10:14:58 EDT 2017


Oh you were faster than me on this one ;) , well you can change the log
level of you app in the standalone.xml

On Tue, Jul 25, 2017 at 4:12 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com>
wrote:

> Hello Sebastien,
>
> I was looking at the logs of my app wildfly server ,  as suggested by
> another user Thomas . Here is a relevant exception stack which I see.
>
> 13:56:29,450 ERROR [org.keycloak.adapters.rotation.JWKPublicKeyLocator]
> (default task-12) Error when sending request to retrieve realm keys:
> org.keycloak.adapters.HttpClientAdapterException: IO error
> at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(
> HttpAdapterUtils.java:58)
> at org.keycloak.adapters.rotation.JWKPublicKeyLocator.sendRequest(
> JWKPublicKeyLocator.java:99)
> at org.keycloak.adapters.rotation.JWKPublicKeyLocator.getPublicKey(
> JWKPublicKeyLocator.java:63)
> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(
> AdapterRSATokenVerifier.java:44)
> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
> AdapterRSATokenVerifier.java:55)
> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
> AdapterRSATokenVerifier.java:37)
> at org.keycloak.adapters.BearerTokenRequestAuthenticato
> r.authenticateToken(BearerTokenRequestAuthenticator.java:87)
> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(
> BearerTokenRequestAuthenticator.java:82)
> at org.keycloak.adapters.RequestAuthenticator.authenticate(
> RequestAuthenticator.java:68)
> at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMe
> ch.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
> at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(
> ServletKeycloakAuthMech.java:92)
> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
> SecurityContextImpl.java:245)
> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
> SecurityContextImpl.java:263)
> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(
> SecurityContextImpl.java:231)
> at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(
> SecurityContextImpl.java:125)
> at io.undertow.security.impl.SecurityContextImpl.authTransition(
> SecurityContextImpl.java:99)
> at io.undertow.security.impl.SecurityContextImpl.authenticate(
> SecurityContextImpl.java:92)
> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl
> er.handleRequest(ServletAuthenticationCallHandler.java:55)
> at io.undertow.server.handlers.DisableCacheHandler.handleRequest(
> DisableCacheHandler.java:33)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at io.undertow.security.handlers.AuthenticationConstraintHandle
> r.handleRequest(AuthenticationConstraintHandler.java:53)
> at io.undertow.security.handlers.AbstractConfidentialityHandler
> .handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentialityConstrai
> ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandl
> er.handleRequest(ServletSecurityConstraintHandler.java:59)
> at io.undertow.security.handlers.AuthenticationMechanismsHandle
> r.handleRequest(AuthenticationMechanismsHandler.java:60)
> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand
> ler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at io.undertow.security.handlers.NotificationReceiverHandler.
> handleRequest(NotificationReceiverHandler.java:50)
> at io.undertow.security.handlers.AbstractSecurityContextAssocia
> tionHandler.handleRequest(AbstractSecurityContextAssocia
> tionHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
> handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
> handleRequest(ServletPreAuthActionsHandler.java:69)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
> ServletInitialHandler.java:292)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$
> 100(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(
> ServletInitialHandler.java:138)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(
> ServletInitialHandler.java:135)
> at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(
> ServletRequestContextThreadSetupAction.java:48)
> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(
> ContextClassLoaderSetupAction.java:43)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
> LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
> LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
> LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
> LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
> LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
> LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:272)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$
> 000(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
> ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at io.undertow.server.HttpServerExchange$1.run(
> HttpServerExchange.java:805)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: java.net.ConnectException: Connection refused (Connection
> refused)
> at java.net.PlainSocketImpl.socketConnect(Native Method)
> at java.net.AbstractPlainSocketImpl.doConnect(
> AbstractPlainSocketImpl.java:350)
> at java.net.AbstractPlainSocketImpl.connectToAddress(
> AbstractPlainSocketImpl.java:206)
> at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:
> 188)
> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
> at java.net.Socket.connect(Socket.java:589)
> at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(
> PlainSocketFactory.java:117)
> at org.apache.http.impl.conn.DefaultClientConnectionOperato
> r.openConnection(DefaultClientConnectionOperator.java:177)
> at org.apache.http.impl.conn.AbstractPoolEntry.open(
> AbstractPoolEntry.java:144)
> at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(
> AbstractPooledConnAdapter.java:131)
> at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(
> DefaultRequestDirector.java:611)
> at org.apache.http.impl.client.DefaultRequestDirector.execute(
> DefaultRequestDirector.java:446)
> at org.apache.http.impl.client.AbstractHttpClient.doExecute(
> AbstractHttpClient.java:882)
> at org.apache.http.impl.client.CloseableHttpClient.execute(
> CloseableHttpClient.java:82)
> at org.apache.http.impl.client.CloseableHttpClient.execute(
> CloseableHttpClient.java:107)
> at org.apache.http.impl.client.CloseableHttpClient.execute(
> CloseableHttpClient.java:55)
> at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(
> HttpAdapterUtils.java:37)
> ... 52 more
> 2017-07-25T13:56:29.452564496Z
> 13:56:29,454 ERROR [org.keycloak.adapters.rotation.AdapterRSATokenVerifier]
> (default task-12) Didn't find publicKey for kid: RHESicBPoNCwhBnBLEk_
> 8X4ufj5WyuTo20zbzOo4HfQ
> 13:56:29,454 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator]
> (default task-12) Failed to verify token: org.keycloak.common.VerificationException:
> Didn't find publicKey for specified kid
> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(
> AdapterRSATokenVerifier.java:47)
> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
> AdapterRSATokenVerifier.java:55)
> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
> AdapterRSATokenVerifier.java:37)
> at org.keycloak.adapters.BearerTokenRequestAuthenticato
> r.authenticateToken(BearerTokenRequestAuthenticator.java:87)
> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(
> BearerTokenRequestAuthenticator.java:82)
> at org.keycloak.adapters.RequestAuthenticator.authenticate(
> RequestAuthenticator.java:68)
> at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMe
> ch.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
> at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(
> ServletKeycloakAuthMech.java:92)
> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
> SecurityContextImpl.java:245)
> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
> SecurityContextImpl.java:263)
> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(
> SecurityContextImpl.java:231)
> at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(
> SecurityContextImpl.java:125)
> at io.undertow.security.impl.SecurityContextImpl.authTransition(
> SecurityContextImpl.java:99)
> at io.undertow.security.impl.SecurityContextImpl.authenticate(
> SecurityContextImpl.java:92)
> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl
> er.handleRequest(ServletAuthenticationCallHandler.java:55)
> at io.undertow.server.handlers.DisableCacheHandler.handleRequest(
> DisableCacheHandler.java:33)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at io.undertow.security.handlers.AuthenticationConstraintHandle
> r.handleRequest(AuthenticationConstraintHandler.java:53)
> at io.undertow.security.handlers.AbstractConfidentialityHandler
> .handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentialityConstrai
> ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandl
> er.handleRequest(ServletSecurityConstraintHandler.java:59)
> at io.undertow.security.handlers.AuthenticationMechanismsHandle
> r.handleRequest(AuthenticationMechanismsHandler.java:60)
> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand
> ler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at io.undertow.security.handlers.NotificationReceiverHandler.
> handleRequest(NotificationReceiverHandler.java:50)
> at io.undertow.security.handlers.AbstractSecurityContextAssocia
> tionHandler.handleRequest(AbstractSecurityContextAssocia
> tionHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
> handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
> handleRequest(ServletPreAuthActionsHandler.java:69)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
> ServletInitialHandler.java:292)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$
> 100(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(
> ServletInitialHandler.java:138)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(
> ServletInitialHandler.java:135)
> at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(
> ServletRequestContextThreadSetupAction.java:48)
> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(
> ContextClassLoaderSetupAction.java:43)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
> LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
> LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
> LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
> LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
> LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
> LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:272)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$
> 000(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
> ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at io.undertow.server.HttpServerExchange$1.run(
> HttpServerExchange.java:805)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
>
> Is there a way to enhance the log level at the client ( i mean keycloak
> adapter ) ,  to see if it is a http connection issue or something else ??
>
> Thanks,
> Rajesh
>
> On Tue, Jul 25, 2017 at 7:36 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com>
> wrote:
>
>> Here is the response from curl ---
>>
>> $ curl -v http://192.168.99.100:8080/OlpUIFwk2-1.0-SNAPSHOT/services/
>> sec/rest/us
>> erservice/users  -H "Authorization:  Bearer $KEY"
>> *   Trying 192.168.99.100...
>> * Connected to 192.168.99.100 (192.168.99.100) port 8080 (#0)
>> > GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
>> HTTP/1.1
>> > Host: 192.168.99.100:8080
>> > User-Agent: curl/7.50.1
>> > Accept: */*
>> > Authorization:  Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
>> AiSldUIiwia2lkIiA6ICJSSEV
>> TaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeXVUbzIwemJ6T280SGZRIn0.eyJ
>> qdGkiOiJkNmY2MmM5YS1
>> hNjAwLTQ4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDg
>> sIm5iZiI6MCwiaWF0Ijo
>> xNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzAwMDE
>> vYXV0aC9yZWFsbXMvYmt
>> vZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ
>> 2YmMtOWU4MS05MjE1Zjg
>> zYjVjOTgiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXR
>> oX3RpbWUiOjAsInNlc3N
>> pb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhMjEzOTZ
>> lNjciLCJhY3IiOiIxIiw
>> iY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWF
>> kYTY2NmE4Y2EiLCJhbGx
>> vd2VkLW9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0
>> sInJlYWxtX2FjY2VzcyI
>> 6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sInJlc29
>> 1cmNlX2FjY2VzcyI6eyJ
>> yZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV
>> 3LWlkZW50aXR5LXByb3Z
>> pZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF
>> 0aW9uIiwicmVhbG0tYWR
>> taW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy1hdXR
>> ob3JpemF0aW9uIiwibWF
>> uYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidml
>> ldy11c2VycyIsInZpZXc
>> tY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWV
>> udHMiXX0sImFjY291bnQ
>> iOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1
>> saW5rcyIsInZpZXctcHJ
>> vZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXB
>> lcmFkbWluIiwiZW1haWw
>> iOiJ0cmlsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5Hv
>> G3x5WBI3ZcC4WEcBA3NU
>> L-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM
>> 6zLk7cy0UKig5ghHX1-g
>> Xb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1
>> iUXAaCZ5fIdXs3epdG82
>> NhJrjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82poh
>> W6RQMAZmGyMVofsxH_uR
>> rEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>> >
>> < HTTP/1.1 401 Unauthorized
>> < Expires: 0
>> < Cache-Control: no-cache, no-store, must-revalidate
>> < X-Powered-By: Undertow/1
>> < Server: WildFly/10
>> < Pragma: no-cache
>> < Date: Tue, 25 Jul 2017 14:04:31 GMT
>> < Connection: keep-alive
>> < WWW-Authenticate: Bearer realm="bkofc", error="invalid_token",
>> error_description="Didn't find publicKey for specified kid"
>> < Content-Type: text/html;charset=UTF-8
>> < Content-Length: 71
>> <
>> * Connection #0 to host 192.168.99.100 left intact
>> <html><head><title>Error</title></head><body>Unauthorized</body></html>$
>> $
>>
>> Thanks,
>> Rajesh
>>
>> On Tue, Jul 25, 2017 at 7:30 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com>
>> wrote:
>>
>>> Sure. I was using postman to invoke the service. This is the command
>>> used by postman --
>>>
>>> ------------------------------------------------------------------------
>>>
>>> GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users HTTP/1.1
>>> Host: 192.168.99.100:8080
>>> Authorization: Bearer  eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM6zLk7
>>> cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8b
>>> qyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzUg9JY2Dkvg
>>> _tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVofsxH_
>>> uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>>> Cache-Control: no-cache
>>> Postman-Token: d378eefe-82c8-9c3d-0140-ef56c62f9b97
>>>
>>>
>>> ------------------------------------------------------------
>>> ---------------
>>>
>>> The "userservice" is my own service for other attributes of users. I
>>> also made sure that the service executes without the security.
>>>
>>> Thanks,
>>> Rajesh
>>>
>>>
>>> On Tue, Jul 25, 2017 at 7:24 PM, Sebastien Blanc <sblanc at redhat.com>
>>> wrote:
>>>
>>>> Okay, to have the complete picture could paste the command you issue to
>>>> call your REST service ?
>>>>
>>>>
>>>> On Tue, Jul 25, 2017 at 3:50 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com>
>>>> wrote:
>>>>
>>>>> Sebastien,
>>>>>
>>>>> Here is a token response -
>>>>>
>>>>> {
>>>>>   "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>>>> 09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFw
>>>>> DmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzU
>>>>> g9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVof
>>>>> sxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw",
>>>>>   "expires_in": 300,
>>>>>   "refresh_expires_in": 1800,
>>>>>   "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLTQwY2ItY
>>>>> TE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZiI6MCwia
>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>> XAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW1lIjowL
>>>>> CJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MTktMDg5Y
>>>>> TIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1Z
>>>>> DQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiO
>>>>> lsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc
>>>>> 3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtI
>>>>> iwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktc
>>>>> HJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlY
>>>>> XRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaXphdGlvb
>>>>> iIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50c
>>>>> yIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9ya
>>>>> XphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzI
>>>>> jpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2a
>>>>> WV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKI
>>>>> hIF6Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46-
>>>>> EXGJQkqH4NNqZ1W_1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvai
>>>>> ucFCa8H599Ox6QRE3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHRdCv
>>>>> _rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqnAdG
>>>>> gDnL5jCCRLTVFnPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sampLww",
>>>>>   "token_type": "bearer",
>>>>>   "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LTRhNTgtO
>>>>> TJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>> XAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MCwic2Vzc
>>>>> 2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OWEyMTM5N
>>>>> mU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lI
>>>>> joic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tI
>>>>> n0.eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_XOXUmHAuih
>>>>> xXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVB
>>>>> n_kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6
>>>>> bG8cyJHQ4_FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYO
>>>>> p4lJpU5JqeaVmYp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st-
>>>>> Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg",
>>>>>   "not-before-policy": 0,
>>>>>   "session_state": "3231f46f-229b-42d3-a419-089a21396e67"
>>>>> }
>>>>>
>>>>>
>>>>> I checked it in jwt.io . The kid is same as the "rsa-generated" one,
>>>>> shown in the screen shot I shared yesterday. Although jwt complained as
>>>>> "Invalid Signature" .
>>>>>
>>>>>
>>>>> Thomas, the connectivity should not be an issue as I am able to get
>>>>> the access token from  my app wildfly server using curl. So keycloak is
>>>>> reachable from my wildfly server. Anything specific you did to resolve your
>>>>> issue ?
>>>>>
>>>>> Regards,
>>>>> Rajesh
>>>>>
>>>>> On Tue, Jul 25, 2017 at 11:12 AM, Sebastien Blanc <sblanc at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> This looks all correct. Could you try paste your access token or even
>>>>>> check it your self on jwt.io to see if the kid is present ?
>>>>>>
>>>>>>
>>>>>> On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com
>>>>>> > wrote:
>>>>>>
>>>>>>> Sebastien,
>>>>>>>
>>>>>>> I am attaching a pdf containing the screen shots.  Few more points I
>>>>>>> wanted to mention.
>>>>>>>
>>>>>>> i)  I didn't install the public client  -- "bkofc-web"  in the
>>>>>>> wildfly container which hosts my REST services. I did it for  "bkofc-svc"
>>>>>>>  client which is bearer only. I hope that is the correct approach.
>>>>>>> ii)  Both keycloak and my application are running on docker
>>>>>>> containers locally in my laptop.
>>>>>>>
>>>>>>> Let me know if you need anything else to analyze.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Rajesh
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien Blanc <sblanc at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> yes please
>>>>>>>>
>>>>>>>> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh <
>>>>>>>> ghosh.rajesh at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Yes definitely. I did replace it with the actual war name. Let me
>>>>>>>>> know if you would like me to paste screen shots of realm configurations,
>>>>>>>>> client configurations.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Rajesh
>>>>>>>>>
>>>>>>>>> On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc <
>>>>>>>>> sblanc at redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> Ok and for :
>>>>>>>>>> <secure-deployment name="my war file.war">
>>>>>>>>>>
>>>>>>>>>> Did you replace that with the actual name of your war file ?
>>>>>>>>>>
>>>>>>>>>> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh <
>>>>>>>>>> ghosh.rajesh at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hello Sebastien,
>>>>>>>>>>>
>>>>>>>>>>> I am using 3.1.0.Final build.
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Rajesh
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc <
>>>>>>>>>>> sblanc at redhat.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Which version of Keycloak are you using ?
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh <
>>>>>>>>>>>> ghosh.rajesh at gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I am trying to secure my REST services using the method
>>>>>>>>>>>>> described in the
>>>>>>>>>>>>> document --
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>>>>>>>>>>>> ak-securing.html
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I am securing my war using JBoss subsystem , instead of
>>>>>>>>>>>>> per-war option. The
>>>>>>>>>>>>> relevant sections from my standalone.xml  are posted below.
>>>>>>>>>>>>>
>>>>>>>>>>>>>     <extensions>
>>>>>>>>>>>>>          ......
>>>>>>>>>>>>>         <extension module="org.keycloak.keycloak-
>>>>>>>>>>>>> adapter-subsystem"/>
>>>>>>>>>>>>>     </extensions>
>>>>>>>>>>>>>
>>>>>>>>>>>>>          <security-domains>
>>>>>>>>>>>>>                 .....
>>>>>>>>>>>>>                 <security-domain name="keycloak">
>>>>>>>>>>>>>                     <authentication>
>>>>>>>>>>>>>                         <login-module
>>>>>>>>>>>>> code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>>>>>>>>> flag="required"/>
>>>>>>>>>>>>>                     </authentication>
>>>>>>>>>>>>>                 </security-domain>
>>>>>>>>>>>>>             </security-domains>
>>>>>>>>>>>>>
>>>>>>>>>>>>>         <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>>>>>>>>>>>>>             <secure-deployment name="my war file.war">
>>>>>>>>>>>>>                 <realm>bkofc</realm>
>>>>>>>>>>>>>                 <resource>bkofc-svc</resource>
>>>>>>>>>>>>>
>>>>>>>>>>>>> <use-resource-role-mappings>true</use-resource-role-mappings>
>>>>>>>>>>>>>                 <bearer-only>true</bearer-only>
>>>>>>>>>>>>>                 <auth-server-url>http://192.16
>>>>>>>>>>>>> 8.99.100/30001/auth
>>>>>>>>>>>>> </auth-server-url>
>>>>>>>>>>>>>                 <ssl-required>none</ssl-required>
>>>>>>>>>>>>>                 <credential
>>>>>>>>>>>>> name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credenti
>>>>>>>>>>>>> al>
>>>>>>>>>>>>>             </secure-deployment>
>>>>>>>>>>>>>         </subsystem>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I am able to obtain the access token.
>>>>>>>>>>>>>
>>>>>>>>>>>>> curl -i  curl --data
>>>>>>>>>>>>> "grant_type=password&client_id=bkofc-web&username=user&passw
>>>>>>>>>>>>> ord=password"
>>>>>>>>>>>>> http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>>>>>>>>>>>>> d-connect/token
>>>>>>>>>>>>>
>>>>>>>>>>>>> Note:- I have created 2 clients -- i)  bkofc-svc which is
>>>>>>>>>>>>> bearer only, for
>>>>>>>>>>>>> my REST services  ii) bkofc-web , a public client to simulate
>>>>>>>>>>>>> UI login
>>>>>>>>>>>>>
>>>>>>>>>>>>> However when I try to use the access token to invoke a
>>>>>>>>>>>>> service, I am
>>>>>>>>>>>>> getting the error -
>>>>>>>>>>>>>
>>>>>>>>>>>>> Status: 401
>>>>>>>>>>>>>
>>>>>>>>>>>>> WWW-Authenticate Bearer realm="bkofc", error="invalid_token",
>>>>>>>>>>>>> error_description="Didn't find publicKey for specified kid"
>>>>>>>>>>>>>
>>>>>>>>>>>>> Please let me know if I am missing something here. I have been
>>>>>>>>>>>>> breaking my
>>>>>>>>>>>>> head last few days without any luck !  I have also tried
>>>>>>>>>>>>> rotating the realm
>>>>>>>>>>>>> keys.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>


More information about the keycloak-user mailing list