[keycloak-user] Hitting error -- "Didn't find publicKey for specified kid"
Rajesh Ghosh
ghosh.rajesh at gmail.com
Tue Jul 25 10:18:12 EDT 2017
OMG ! That was stupid ! Let me rectify that and try again.
Thanks so much for pointing out.
Regards,
Rajesh
On Tue, Jul 25, 2017 at 7:47 PM, Sebastien Blanc <sblanc at redhat.com> wrote:
> Oh I think I found it : <auth-server-url>http://192.168.99.100/30001/auth
> </auth-server-url>
> You have a typo there , shouldn't it be http://192.168.99.100:30001/auth
> <http://192.168.99.100:30001/auth/realms/bkofc/protocol/openid-connect/token>
> , notice the ":" instead of "/"
>
> On Tue, Jul 25, 2017 at 4:14 PM, Sebastien Blanc <sblanc at redhat.com>
> wrote:
>
>> Oh you were faster than me on this one ;) , well you can change the log
>> level of you app in the standalone.xml
>>
>> On Tue, Jul 25, 2017 at 4:12 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com>
>> wrote:
>>
>>> Hello Sebastien,
>>>
>>> I was looking at the logs of my app wildfly server , as suggested by
>>> another user Thomas . Here is a relevant exception stack which I see.
>>>
>>> 13:56:29,450 ERROR [org.keycloak.adapters.rotation.JWKPublicKeyLocator]
>>> (default task-12) Error when sending request to retrieve realm keys:
>>> org.keycloak.adapters.HttpClientAdapterException: IO error
>>> at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(H
>>> ttpAdapterUtils.java:58)
>>> at org.keycloak.adapters.rotation.JWKPublicKeyLocator.sendReque
>>> st(JWKPublicKeyLocator.java:99)
>>> at org.keycloak.adapters.rotation.JWKPublicKeyLocator.getPublic
>>> Key(JWKPublicKeyLocator.java:63)
>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPu
>>> blicKey(AdapterRSATokenVerifier.java:44)
>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>> yToken(AdapterRSATokenVerifier.java:55)
>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>> yToken(AdapterRSATokenVerifier.java:37)
>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>> ticateToken(BearerTokenRequestAuthenticator.java:87)
>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>> ticate(BearerTokenRequestAuthenticator.java:82)
>>> at org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
>>> estAuthenticator.java:68)
>>> at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthM
>>> ech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>>> at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authe
>>> nticate(ServletKeycloakAuthMech.java:92)
>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>> transition(SecurityContextImpl.java:245)
>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>> transition(SecurityContextImpl.java:263)
>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>> access$100(SecurityContextImpl.java:231)
>>> at io.undertow.security.impl.SecurityContextImpl.attemptAuthent
>>> ication(SecurityContextImpl.java:125)
>>> at io.undertow.security.impl.SecurityContextImpl.authTransition
>>> (SecurityContextImpl.java:99)
>>> at io.undertow.security.impl.SecurityContextImpl.authenticate(S
>>> ecurityContextImpl.java:92)
>>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>>> at io.undertow.server.handlers.DisableCacheHandler.handleReques
>>> t(DisableCacheHandler.java:33)
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at io.undertow.security.handlers.AuthenticationConstraintHandle
>>> r.handleRequest(AuthenticationConstraintHandler.java:53)
>>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>> aintHandler.java:64)
>>> at io.undertow.servlet.handlers.security.ServletSecurityConstra
>>> intHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
>>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>>> ndleRequest(NotificationReceiverHandler.java:50)
>>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>> Handler.java:43)
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
>>> handleRequest(ServletPreAuthActionsHandler.java:69)
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>> stRequest(ServletInitialHandler.java:292)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$10
>>> 0(ServletInitialHandler.java:81)
>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>> rvletInitialHandler.java:138)
>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>> rvletInitialHandler.java:135)
>>> at io.undertow.servlet.core.ServletRequestContextThreadSetupAct
>>> ion$1.call(ServletRequestContextThreadSetupAction.java:48)
>>> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.cal
>>> l(ContextClassLoaderSetupAction.java:43)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>> equest(ServletInitialHandler.java:272)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>> 0(ServletInitialHandler.java:81)
>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>> equest(ServletInitialHandler.java:104)
>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>> ge.java:805)
>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>> Executor.java:1142)
>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>> lExecutor.java:617)
>>> at java.lang.Thread.run(Thread.java:748)
>>> Caused by: java.net.ConnectException: Connection refused (Connection
>>> refused)
>>> at java.net.PlainSocketImpl.socketConnect(Native Method)
>>> at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSock
>>> etImpl.java:350)
>>> at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPl
>>> ainSocketImpl.java:206)
>>> at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocket
>>> Impl.java:188)
>>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>>> at java.net.Socket.connect(Socket.java:589)
>>> at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket
>>> (PlainSocketFactory.java:117)
>>> at org.apache.http.impl.conn.DefaultClientConnectionOperator.op
>>> enConnection(DefaultClientConnectionOperator.java:177)
>>> at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoo
>>> lEntry.java:144)
>>> at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(Abs
>>> tractPooledConnAdapter.java:131)
>>> at org.apache.http.impl.client.DefaultRequestDirector.tryConnec
>>> t(DefaultRequestDirector.java:611)
>>> at org.apache.http.impl.client.DefaultRequestDirector.execute(D
>>> efaultRequestDirector.java:446)
>>> at org.apache.http.impl.client.AbstractHttpClient.doExecute(Abs
>>> tractHttpClient.java:882)
>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>> eableHttpClient.java:82)
>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>> eableHttpClient.java:107)
>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>> eableHttpClient.java:55)
>>> at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(H
>>> ttpAdapterUtils.java:37)
>>> ... 52 more
>>> 2017-07-25T13:56:29.452564496Z
>>> 13:56:29,454 ERROR [org.keycloak.adapters.rotation.AdapterRSATokenVerifier]
>>> (default task-12) Didn't find publicKey for kid:
>>> RHESicBPoNCwhBnBLEk_8X4ufj5WyuTo20zbzOo4HfQ
>>> 13:56:29,454 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator]
>>> (default task-12) Failed to verify token: org.keycloak.common.VerificationException:
>>> Didn't find publicKey for specified kid
>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPu
>>> blicKey(AdapterRSATokenVerifier.java:47)
>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>> yToken(AdapterRSATokenVerifier.java:55)
>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>> yToken(AdapterRSATokenVerifier.java:37)
>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>> ticateToken(BearerTokenRequestAuthenticator.java:87)
>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>> ticate(BearerTokenRequestAuthenticator.java:82)
>>> at org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
>>> estAuthenticator.java:68)
>>> at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthM
>>> ech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>>> at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authe
>>> nticate(ServletKeycloakAuthMech.java:92)
>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>> transition(SecurityContextImpl.java:245)
>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>> transition(SecurityContextImpl.java:263)
>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>> access$100(SecurityContextImpl.java:231)
>>> at io.undertow.security.impl.SecurityContextImpl.attemptAuthent
>>> ication(SecurityContextImpl.java:125)
>>> at io.undertow.security.impl.SecurityContextImpl.authTransition
>>> (SecurityContextImpl.java:99)
>>> at io.undertow.security.impl.SecurityContextImpl.authenticate(S
>>> ecurityContextImpl.java:92)
>>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>>> at io.undertow.server.handlers.DisableCacheHandler.handleReques
>>> t(DisableCacheHandler.java:33)
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at io.undertow.security.handlers.AuthenticationConstraintHandle
>>> r.handleRequest(AuthenticationConstraintHandler.java:53)
>>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>> aintHandler.java:64)
>>> at io.undertow.servlet.handlers.security.ServletSecurityConstra
>>> intHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
>>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>>> ndleRequest(NotificationReceiverHandler.java:50)
>>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>> Handler.java:43)
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
>>> handleRequest(ServletPreAuthActionsHandler.java:69)
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>> stRequest(ServletInitialHandler.java:292)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$10
>>> 0(ServletInitialHandler.java:81)
>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>> rvletInitialHandler.java:138)
>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>> rvletInitialHandler.java:135)
>>> at io.undertow.servlet.core.ServletRequestContextThreadSetupAct
>>> ion$1.call(ServletRequestContextThreadSetupAction.java:48)
>>> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.cal
>>> l(ContextClassLoaderSetupAction.java:43)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>> equest(ServletInitialHandler.java:272)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>> 0(ServletInitialHandler.java:81)
>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>> equest(ServletInitialHandler.java:104)
>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>> ge.java:805)
>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>> Executor.java:1142)
>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>> lExecutor.java:617)
>>> at java.lang.Thread.run(Thread.java:748)
>>>
>>> Is there a way to enhance the log level at the client ( i mean keycloak
>>> adapter ) , to see if it is a http connection issue or something else ??
>>>
>>> Thanks,
>>> Rajesh
>>>
>>> On Tue, Jul 25, 2017 at 7:36 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com>
>>> wrote:
>>>
>>>> Here is the response from curl ---
>>>>
>>>> $ curl -v http://192.168.99.100:8080/OlpUIFwk2-1.0-SNAPSHOT/services/s
>>>> ec/rest/us
>>>> erservice/users -H "Authorization: Bearer $KEY"
>>>> * Trying 192.168.99.100...
>>>> * Connected to 192.168.99.100 (192.168.99.100) port 8080 (#0)
>>>> > GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
>>>> HTTP/1.1
>>>> > Host: 192.168.99.100:8080
>>>> > User-Agent: curl/7.50.1
>>>> > Accept: */*
>>>> > Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
>>>> AiSldUIiwia2lkIiA6ICJSSEV
>>>> TaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeXVUbzIwemJ6T280SGZRIn0.eyJ
>>>> qdGkiOiJkNmY2MmM5YS1
>>>> hNjAwLTQ4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDg
>>>> sIm5iZiI6MCwiaWF0Ijo
>>>> xNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzAwMDE
>>>> vYXV0aC9yZWFsbXMvYmt
>>>> vZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ
>>>> 2YmMtOWU4MS05MjE1Zjg
>>>> zYjVjOTgiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXR
>>>> oX3RpbWUiOjAsInNlc3N
>>>> pb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhMjEzOTZ
>>>> lNjciLCJhY3IiOiIxIiw
>>>> iY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWF
>>>> kYTY2NmE4Y2EiLCJhbGx
>>>> vd2VkLW9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0
>>>> sInJlYWxtX2FjY2VzcyI
>>>> 6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sInJlc29
>>>> 1cmNlX2FjY2VzcyI6eyJ
>>>> yZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV
>>>> 3LWlkZW50aXR5LXByb3Z
>>>> pZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF
>>>> 0aW9uIiwicmVhbG0tYWR
>>>> taW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy1hdXR
>>>> ob3JpemF0aW9uIiwibWF
>>>> uYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidml
>>>> ldy11c2VycyIsInZpZXc
>>>> tY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWV
>>>> udHMiXX0sImFjY291bnQ
>>>> iOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1
>>>> saW5rcyIsInZpZXctcHJ
>>>> vZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXB
>>>> lcmFkbWluIiwiZW1haWw
>>>> iOiJ0cmlsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5Hv
>>>> G3x5WBI3ZcC4WEcBA3NU
>>>> L-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM
>>>> 6zLk7cy0UKig5ghHX1-g
>>>> Xb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1
>>>> iUXAaCZ5fIdXs3epdG82
>>>> NhJrjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82poh
>>>> W6RQMAZmGyMVofsxH_uR
>>>> rEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>>>> >
>>>> < HTTP/1.1 401 Unauthorized
>>>> < Expires: 0
>>>> < Cache-Control: no-cache, no-store, must-revalidate
>>>> < X-Powered-By: Undertow/1
>>>> < Server: WildFly/10
>>>> < Pragma: no-cache
>>>> < Date: Tue, 25 Jul 2017 14:04:31 GMT
>>>> < Connection: keep-alive
>>>> < WWW-Authenticate: Bearer realm="bkofc", error="invalid_token",
>>>> error_description="Didn't find publicKey for specified kid"
>>>> < Content-Type: text/html;charset=UTF-8
>>>> < Content-Length: 71
>>>> <
>>>> * Connection #0 to host 192.168.99.100 left intact
>>>> <html><head><title>Error</title></head><body>Unauthorized</b
>>>> ody></html>$
>>>> $
>>>>
>>>> Thanks,
>>>> Rajesh
>>>>
>>>> On Tue, Jul 25, 2017 at 7:30 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com>
>>>> wrote:
>>>>
>>>>> Sure. I was using postman to invoke the service. This is the command
>>>>> used by postman --
>>>>>
>>>>> ------------------------------------------------------------
>>>>> ------------
>>>>>
>>>>> GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
>>>>> HTTP/1.1
>>>>> Host: 192.168.99.100:8080
>>>>> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>>>> 09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFw
>>>>> DmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzU
>>>>> g9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVof
>>>>> sxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>>>>> Cache-Control: no-cache
>>>>> Postman-Token: d378eefe-82c8-9c3d-0140-ef56c62f9b97
>>>>>
>>>>>
>>>>> ------------------------------------------------------------
>>>>> ---------------
>>>>>
>>>>> The "userservice" is my own service for other attributes of users. I
>>>>> also made sure that the service executes without the security.
>>>>>
>>>>> Thanks,
>>>>> Rajesh
>>>>>
>>>>>
>>>>> On Tue, Jul 25, 2017 at 7:24 PM, Sebastien Blanc <sblanc at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Okay, to have the complete picture could paste the command you issue
>>>>>> to call your REST service ?
>>>>>>
>>>>>>
>>>>>> On Tue, Jul 25, 2017 at 3:50 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com
>>>>>> > wrote:
>>>>>>
>>>>>>> Sebastien,
>>>>>>>
>>>>>>> Here is a token response -
>>>>>>>
>>>>>>> {
>>>>>>> "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>>>>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>>>>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>>>>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>>>>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>>>>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>>>>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>>>>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>>>>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>>>>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>>>>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>>>>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>>>>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>>>>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>>>>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>>>>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>>>>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>>>>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>>>>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>>>>>> 09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFw
>>>>>>> DmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzU
>>>>>>> g9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVof
>>>>>>> sxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw",
>>>>>>> "expires_in": 300,
>>>>>>> "refresh_expires_in": 1800,
>>>>>>> "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLTQwY2ItY
>>>>>>> TE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZiI6MCwia
>>>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>> XAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW1lIjowL
>>>>>>> CJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MTktMDg5Y
>>>>>>> TIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1Z
>>>>>>> DQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiO
>>>>>>> lsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc
>>>>>>> 3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtI
>>>>>>> iwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktc
>>>>>>> HJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlY
>>>>>>> XRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaXphdGlvb
>>>>>>> iIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50c
>>>>>>> yIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9ya
>>>>>>> XphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzI
>>>>>>> jpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2a
>>>>>>> WV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKI
>>>>>>> hIF6Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46-
>>>>>>> EXGJQkqH4NNqZ1W_1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvai
>>>>>>> ucFCa8H599Ox6QRE3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHRdCv
>>>>>>> _rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqnAdG
>>>>>>> gDnL5jCCRLTVFnPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sampLww",
>>>>>>> "token_type": "bearer",
>>>>>>> "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LTRhNTgtO
>>>>>>> TJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>> XAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MCwic2Vzc
>>>>>>> 2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OWEyMTM5N
>>>>>>> mU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lI
>>>>>>> joic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tI
>>>>>>> n0.eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_XOXUmHAuih
>>>>>>> xXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVB
>>>>>>> n_kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6
>>>>>>> bG8cyJHQ4_FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYO
>>>>>>> p4lJpU5JqeaVmYp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st-
>>>>>>> Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg",
>>>>>>> "not-before-policy": 0,
>>>>>>> "session_state": "3231f46f-229b-42d3-a419-089a21396e67"
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>> I checked it in jwt.io . The kid is same as the "rsa-generated"
>>>>>>> one, shown in the screen shot I shared yesterday. Although jwt complained
>>>>>>> as "Invalid Signature" .
>>>>>>>
>>>>>>>
>>>>>>> Thomas, the connectivity should not be an issue as I am able to get
>>>>>>> the access token from my app wildfly server using curl. So keycloak is
>>>>>>> reachable from my wildfly server. Anything specific you did to resolve your
>>>>>>> issue ?
>>>>>>>
>>>>>>> Regards,
>>>>>>> Rajesh
>>>>>>>
>>>>>>> On Tue, Jul 25, 2017 at 11:12 AM, Sebastien Blanc <sblanc at redhat.com
>>>>>>> > wrote:
>>>>>>>
>>>>>>>> This looks all correct. Could you try paste your access token or
>>>>>>>> even check it your self on jwt.io to see if the kid is present ?
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh <
>>>>>>>> ghosh.rajesh at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Sebastien,
>>>>>>>>>
>>>>>>>>> I am attaching a pdf containing the screen shots. Few more points
>>>>>>>>> I wanted to mention.
>>>>>>>>>
>>>>>>>>> i) I didn't install the public client -- "bkofc-web" in the
>>>>>>>>> wildfly container which hosts my REST services. I did it for "bkofc-svc"
>>>>>>>>> client which is bearer only. I hope that is the correct approach.
>>>>>>>>> ii) Both keycloak and my application are running on docker
>>>>>>>>> containers locally in my laptop.
>>>>>>>>>
>>>>>>>>> Let me know if you need anything else to analyze.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Rajesh
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien Blanc <
>>>>>>>>> sblanc at redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> yes please
>>>>>>>>>>
>>>>>>>>>> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh <
>>>>>>>>>> ghosh.rajesh at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Yes definitely. I did replace it with the actual war name. Let
>>>>>>>>>>> me know if you would like me to paste screen shots of realm configurations,
>>>>>>>>>>> client configurations.
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Rajesh
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc <
>>>>>>>>>>> sblanc at redhat.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Ok and for :
>>>>>>>>>>>> <secure-deployment name="my war file.war">
>>>>>>>>>>>>
>>>>>>>>>>>> Did you replace that with the actual name of your war file ?
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh <
>>>>>>>>>>>> ghosh.rajesh at gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hello Sebastien,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I am using 3.1.0.Final build.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc <
>>>>>>>>>>>>> sblanc at redhat.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Which version of Keycloak are you using ?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh <
>>>>>>>>>>>>>> ghosh.rajesh at gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I am trying to secure my REST services using the method
>>>>>>>>>>>>>>> described in the
>>>>>>>>>>>>>>> document --
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>>>>>>>>>>>>>> ak-securing.html
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I am securing my war using JBoss subsystem , instead of
>>>>>>>>>>>>>>> per-war option. The
>>>>>>>>>>>>>>> relevant sections from my standalone.xml are posted below.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> <extensions>
>>>>>>>>>>>>>>> ......
>>>>>>>>>>>>>>> <extension module="org.keycloak.keycloak-
>>>>>>>>>>>>>>> adapter-subsystem"/>
>>>>>>>>>>>>>>> </extensions>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> <security-domains>
>>>>>>>>>>>>>>> .....
>>>>>>>>>>>>>>> <security-domain name="keycloak">
>>>>>>>>>>>>>>> <authentication>
>>>>>>>>>>>>>>> <login-module
>>>>>>>>>>>>>>> code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>>>>>>>>>>> flag="required"/>
>>>>>>>>>>>>>>> </authentication>
>>>>>>>>>>>>>>> </security-domain>
>>>>>>>>>>>>>>> </security-domains>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>>>>>>>>>>>>>>> <secure-deployment name="my war file.war">
>>>>>>>>>>>>>>> <realm>bkofc</realm>
>>>>>>>>>>>>>>> <resource>bkofc-svc</resource>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> <use-resource-role-mappings>true</use-resource-role-mappings
>>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>> <bearer-only>true</bearer-only>
>>>>>>>>>>>>>>> <auth-server-url>http://192.16
>>>>>>>>>>>>>>> 8.99.100/30001/auth
>>>>>>>>>>>>>>> </auth-server-url>
>>>>>>>>>>>>>>> <ssl-required>none</ssl-required>
>>>>>>>>>>>>>>> <credential
>>>>>>>>>>>>>>> name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credenti
>>>>>>>>>>>>>>> al>
>>>>>>>>>>>>>>> </secure-deployment>
>>>>>>>>>>>>>>> </subsystem>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I am able to obtain the access token.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> curl -i curl --data
>>>>>>>>>>>>>>> "grant_type=password&client_id=bkofc-web&username=user&passw
>>>>>>>>>>>>>>> ord=password"
>>>>>>>>>>>>>>> http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>>>>>>>>>>>>>>> d-connect/token
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Note:- I have created 2 clients -- i) bkofc-svc which is
>>>>>>>>>>>>>>> bearer only, for
>>>>>>>>>>>>>>> my REST services ii) bkofc-web , a public client to
>>>>>>>>>>>>>>> simulate UI login
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> However when I try to use the access token to invoke a
>>>>>>>>>>>>>>> service, I am
>>>>>>>>>>>>>>> getting the error -
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Status: 401
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> WWW-Authenticate Bearer realm="bkofc", error="invalid_token",
>>>>>>>>>>>>>>> error_description="Didn't find publicKey for specified kid"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Please let me know if I am missing something here. I have
>>>>>>>>>>>>>>> been breaking my
>>>>>>>>>>>>>>> head last few days without any luck ! I have also tried
>>>>>>>>>>>>>>> rotating the realm
>>>>>>>>>>>>>>> keys.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
More information about the keycloak-user
mailing list