Details
-
Bug
-
Status: Triage
-
Major
-
Resolution: Unresolved
-
15.0.2
-
None
-
None
-
NEW
-
NEW
Description
I had some problems that took me quite some time to track it down with client-authentication-type "Signed Jwt".
When using the private key in the attachment to create a token like the following
eyJhbGciOiJQUzI1NiJ9.eyJzdWIiOiJnb2xkZmlzaC1yZXN0LWNsaWVudC1qd3QiLCJhdWQiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODA4MVwvYXV0aFwvcmVhbG1zXC9nb2xkZmlzaCIsImlzcyI6ImdvbGRmaXNoLXJlc3QtY2xpZW50LWp3dCIsImV4cCI6MTYyOTU4NDc1MywiaWF0IjoxNjI5NTg0NDUzLCJqdGkiOiJkODdkNDJjZC02ZTNmLTRlMzktOTBkNS1jMGNmZDQyZDc5M2UifQ.PMc8y0leEmqPIwcqNyDNMleNGB-Es_R2FZkaGqVNGEE6b0mquPlsfu9W3cDR0pr_GbRfeZ3zmkjiuosSICbUU68M1d_uSMceDUL18RA803tt6r6mUvK23n9aoe-yx6iz2P8jogQKX9iXnVUOYSKHvyzy9wX95yQr5RTYJeQ1bMFeTfYRfPUP4fWinu0-Pg3eGQHbCotToZtFiz6fenAWwmRApInG8JdYklK1Z1bNlNl6GZr-WNbnjSgugp_Dk_reI9y4rOQAiKGF4FQmtLpd6oK6h_sB53e_XyohBzcvMmTnw7rv7kvftSLJE4i7OI8L8TJylNWxvtrUCEYcRc6i1g
I end up in an invalid signature validation. While debugging I noticed that keycloak does not validate the signature with the algorithm from the JWS but with an algorithm that matches the key-algorithm instead. In this specific case The JWS is signed with "PS256" but the appended key is causing keycloak to validate the signature with "RS256".
I tried several tools and also tested it with a nimbus implementation. The signature validation should be successful with the attached key. But keycloak is simply using the wrong signature algorithm to validate the signature here
EDIT:
The password of the keystore and the key is "123456"