[keycloak-user] Where do I find the secret to verify a token
Dmitry Telegin
dt at acutus.pro
Thu Dec 27 14:01:54 EST 2018
Hello Bruno,
For RSA (asymmetric), you can retrieve public key from the Admin console (realm > Keys > RSA > Public key). It's only the pubkey that is needed for RSA signature verification.
For symmetric algorithms, namely AES and HMAC, you should use the direct SQL query:
SELECT value FROM component_config CC INNER JOIN component C ON(CC.component_id = C.id) WHERE provider_id = 'hmac-generated' AND CC.name = 'secret';
(similarly for 'aes-generated')
However, seems like none of the online JWT debuggers, neither https://jsonwebtoken.io nor https://jwt.io, understand Keycloak's symmetric keys. The former simply fails every time, and the latter, instead of verifying the signature, simply regenerates it with the key supplied. I was only able to verify RSA signature using https://jwt.io and RSA pubkey retrieved from Keycloak. The only pitfall is that you need to enclose the pubkey in -----BEGIN RSA PUBLIC KEY----- and -----END RSA PUBLIC KEY-----.
As the online services seem to be not much reliable, I'd suggest that you try using one of the many libraries to verify the token yourself.
Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
On Wed, 2018-12-26 at 14:14 +0100, Bruno Mairlot wrote:
> Dear List Members,
>
> I am working on implementing a Single Sign On with keycloak and I have
> implemented the Standard Flow, I can exchange the Authorization Grant to
> receive the tokens, but I cannot find a way to verify them.
>
> Each time I try to check the token, classical tools like jwt.io or
> https://www.jsonwebtoken.io/ says the signature is incorrect.
>
> I would like to know, which secret does Keycloak use to sign (with
> HS256) the tokens ? And where can I find it ?
>
> I tried the client secret, but it seems wrong to me.
>
> Many thanks for your help,
>
> Cheers,
>
> Bruno Mairlot
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list