来自 Keycloak 的 JWT 访问令牌的 Java 离线验证
[英]Java offline validation of JWT access token from Keycloak
问题描述
我从 Keycloak http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token得到一个签名的 JWT http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token :
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJqQThGdzdhRk1rTGhGc2......",
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIzMWRjZTBjNS01MGU0LTQxZjMtODAxNC1kMTcyMjdk....",
"token_type": "bearer",
"not-before-policy": 0,
"session_state": "bd1728eb-ceda-43cf-a6e6-d637ba0da5e3",
"scope": "email profile"
}
所以访问令牌是:
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJqQThGdzdhRk1rTGhGc2......
我为http://localhost:8080/auth/realms/Myrealm/查询 Keycloak:
{
"realm": "MyRealm",
"public_key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKQF8ewcJ/pDzhgzbTfFCoS1FLjZyO5z7CbmeWl.......",
"token-service": "http://localhost:8080/auth/realms/Myrealm/protocol/openid-connect",
"account-service": "http://localhost:8080/auth/realms/Myrealm/account",
"tokens-not-before": 0
}
所以公钥是:
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKQF8ewcJ/pDzhgzbTfFCoS1FLjZyO5z7CbmeWl.......
现在我正在尝试进行如下离线验证:
import java.security.KeyFactory;
import java.security.spec.X509EncodedKeySpec;
import java.security.PublicKey;
String keyFromKeycloak = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKQF8ewcJ/pDzhgzbTfFCoS1FLjZyO5z7CbmeWl.......";
byte[] bytes = keyFromKeycloak.getBytes();
KeyFactory factory = KeyFactory.getInstance("RSA");
X509EncodedKeySpec encodedKeySpec = new X509EncodedKeySpec(bytes);
PublicKey pk = factory.generatePublic(encodedKeySpec);
但我收到无效密钥的例外:
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: invalid key format
at java.base/sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:239)
at java.base/java.security.KeyFactory.generatePublic(KeyFactory.java:352)
Caused by: java.security.InvalidKeyException: invalid key format
at java.base/sun.security.x509.X509Key.decode(X509Key.java:386)
at java.base/sun.security.x509.X509Key.decode(X509Key.java:401)
at java.base/sun.security.rsa.RSAPublicKeyImpl.<init>(RSAPublicKeyImpl.java:122)
at java.base/sun.security.rsa.RSAKeyFactory.generatePublic(RSAKeyFactory.java:330)
at java.base/sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:235)
... 3 more
我需要 PublicKey 对象来验证访问令牌,如下所示:
Algorithm algorithm = Algorithm.RSA256(
(RSAPublicKey) pk,
null);
JWTVerifier verifier = JWT.require(algorithm).build();
DecodedJWT jwt = verifier.verify(token);
怎么了? 我看到很多带有此代码的示例,因此我怀疑问题出在密钥本身上。
1 个解决方案
解决方案1
2 已采纳 2020-09-24 11:30:38
您的keyFromKeycloak字符串是 Base64 编码的 DER SubjectPublicKeyInfo。 您应该首先对其进行解码,然后将其传递给X509EncodedKeySpec构造函数:
String keyFromKeycloak = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKQF8ewcJ/pDzhgzbTfFCoS1FLjZyO5z7CbmeWl.......";
byte[] keyBytes = Base64.getDecoder().decode(keyFromKeycloak);
X509EncodedKeySpec encodedKeySpec = new X509EncodedKeySpec(keyBytes);
如何通过 Java/Kotlin 从 KeyCloak 请求 JWT 令牌 API
[英]How to request JWT Token from KeyCloak via Java/Kotlin API
使用 Java Spring Security + KC 适配器的 Keycloak JWT 验证
[英]Keycloak JWT Validation using Java Spring Security + KC Adapter
使用来自 Keycloak 社交登录的访问令牌在 Java 中消费 Google API
[英]Use access token from Keycloak social login to consume Google API in Java
Keycloak 错误的令牌响应,当用户没有 offline_access 角色时错误=not_allowed
[英]Keycloak Bad token response, error=not_allowed when user doesn't have the offline_access role
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
带有 Java 的 keycloak 离线令牌
如何通过 Java/Kotlin 从 KeyCloak 请求 JWT 令牌 API
使用 Java Spring Security + KC 适配器的 Keycloak JWT 验证
使用 java 创建刷新和访问令牌 jwt
使用来自 Keycloak 社交登录的访问令牌在 Java 中消费 Google API
密钥访问令牌
从 SAMLAuthenticationToken 创建 JWT 访问令牌
Keycloak 错误的令牌响应,当用户没有 offline_access 角色时错误=not_allowed
KeyCloak用户验证和获取令牌
Java 从 JWT 令牌中获取主题
相关标签