Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-12500

Missing "mandatory" fields in JWKS leads to unhelpful RuntimeException

    Details

    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Scenario

      • Use client-authentication with JWT authentication
      • The public key is provided trough a JWKS

      Keycloak requires some properties to be present, eg

      • The "use" field
      • The "alg" field
        • note: see also KEYCLOAK-12299 for a fix for backwards compatibility for this property.

      When a client tries to authenticate with a JWT which is signed with a key that's found in the JWKS but misses one of those fields, keycloak will print the following log:
      15:57:13,776 ERROR [org.keycloak.services] (default task-1) KC-SERVICES0025: Error when validating client assertion: java.lang.RuntimeException: Signature on JWT token failed validation
      at org.keycloak.keycloak-services@8.0.0//org.keycloak.authentication.authenticators.client.JWTClientAuthenticator.authenticateClient(JWTClientAuthenticator.java:136)
      at org.keycloak.keycloak-services@8.0.0//org.keycloak.authentication.ClientAuthenticationFlow.processFlow(ClientAuthenticationFlow.java:70)
      at org.keycloak.keycloak-services@8.0.0//org.keycloak.authentication.AuthenticationProcessor.authenticateClient(AuthenticationProcessor.java:869)
      at org.keycloak.keycloak-services@8.0.0//org.keycloak.protocol.oidc.utils.AuthorizeClientUtil.authorizeClient(AuthorizeClientUtil.java:50)
      at org.keycloak.keycloak-services@8.0.0//org.keycloak.protocol.oidc.endpoints.TokenEndpoint.checkClient(TokenEndpoint.java:232)
      at org.keycloak.keycloak-services@8.0.0//org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:181)

      It makes it very hard for either the end-user or keycloak admin to figure out this is due to a property missing in the JWKS. (I had to use a debugger for this)

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                mouse256 Tom Billiet
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: