Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-19094

JWT-profile signature validation fail

    XMLWordPrintable

Details

    • Bug
    • Status: Triage
    • Major
    • Resolution: Unresolved
    • 15.0.2
    • None
    • Authorization Services
    • None
    • NEW
    • NEW

    Description

      I had some problems that took me quite some time to track it down with client-authentication-type "Signed Jwt".

      When using the private key in the attachment to create a token like the following

      eyJhbGciOiJQUzI1NiJ9.eyJzdWIiOiJnb2xkZmlzaC1yZXN0LWNsaWVudC1qd3QiLCJhdWQiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODA4MVwvYXV0aFwvcmVhbG1zXC9nb2xkZmlzaCIsImlzcyI6ImdvbGRmaXNoLXJlc3QtY2xpZW50LWp3dCIsImV4cCI6MTYyOTU4NDc1MywiaWF0IjoxNjI5NTg0NDUzLCJqdGkiOiJkODdkNDJjZC02ZTNmLTRlMzktOTBkNS1jMGNmZDQyZDc5M2UifQ.PMc8y0leEmqPIwcqNyDNMleNGB-Es_R2FZkaGqVNGEE6b0mquPlsfu9W3cDR0pr_GbRfeZ3zmkjiuosSICbUU68M1d_uSMceDUL18RA803tt6r6mUvK23n9aoe-yx6iz2P8jogQKX9iXnVUOYSKHvyzy9wX95yQr5RTYJeQ1bMFeTfYRfPUP4fWinu0-Pg3eGQHbCotToZtFiz6fenAWwmRApInG8JdYklK1Z1bNlNl6GZr-WNbnjSgugp_Dk_reI9y4rOQAiKGF4FQmtLpd6oK6h_sB53e_XyohBzcvMmTnw7rv7kvftSLJE4i7OI8L8TJylNWxvtrUCEYcRc6i1g

      I end up in an invalid signature validation. While debugging I noticed that keycloak does not validate the signature with the algorithm from the JWS but with an algorithm that matches the key-algorithm instead. In this specific case The JWS is signed with "PS256" but the appended key is causing keycloak to validate the signature with "RS256".

      I tried several tools and also tested it with a nimbus implementation. The signature validation should be successful with the attached key. But keycloak is simply using the wrong signature algorithm to validate the signature here

       

      EDIT:

      The password of the keystore and the key is "123456"

      Attachments

        Activity

          People

            Unassigned Unassigned
            captain-p-goldfish Pascal Knüppel (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: