stackoom
  简体   繁体   中英

Unable to verify Keycloak generated JWTs signed with es256

 原文  2019-04-18 08:47:39       c#/ asp.net-core/ jwt/ keycloak

Question

I'm trying to use Keycloak as an OpenID provider. Because of compliance reasons I cannot use RSA and must use ECDSA keys to sign the tokens. I'm using ES256 to sign the tokens generated by Keycloak.

I've created a simple asp.net core server that requires authentication for all controllers. This is an example of the startup.cs file: 

public class Startup
{
   public Startup(IConfiguration configuration)
   {
      Configuration = configuration;
   }

   public IConfiguration Configuration { get; }

   // This method gets called by the runtime. Use this method to add services to the container.
   public void ConfigureServices(IServiceCollection services)
   {
      IdentityModelEventSource.ShowPII = true;
      services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);

      services.AddAuthentication(options => {
         options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
         options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
      })
      .AddJwtBearer(options => {
         options.RequireHttpsMetadata = false;
         options.Authority = "[keycloak address]";
         options.Audience = "hello";
      });

      services.AddSingleton<IAuthorizationHandler, DebugAuthorizationHandler>();
   }

   // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
   public void Configure(IApplicationBuilder app, IHostingEnvironment env)
   {
      if (env.IsDevelopment())
      {
         app.UseDeveloperExceptionPage();
      }

      app.UseAuthentication();
      app.UseMvc();
   }
}

I also have a client that performs authentication with Keycloak, receives the access token, and then calls the asp.net core server with the access token.

The call fails in the server with the following error code: 

info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[1] Failed to validate the token.

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed.

The same code succeeds when using RS256 to sign the tokens.

Has anyone experienced a similar issue?

1 answers

solution1
 0  2019-04-18 12:46:29

After digging further into the issue, it looks like Keycloak does not return the JWT signature in a standard way.

They currently have an open issue about it.

For more info look here

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to load private ecdsa key es256 in c#? Using ES256 algorithm with jwt-dotnet for Apple AppStore How to Validate JWT using JWK for ES256 alg? Validate JWT (ES256) Token with ---PUBLIC KEY--- in c# c# JWT load ES256 PEM file into CngKey (jose-jwt) Unable to validate RS256 signed JWT How do I decrypt and verify a signature signed with SHA256withRSA standard? Unable to verify the Signed Hash in C++ from VB.Net Verify signature generated with RSA 2048-bit key, SHA256 algorithm and PKCSv1.5 padding How to create JWT signed with RsaSsaPssSha256
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM