How to verify a HS256 signed JWT Token created with Keycloak authentication provider on jwt.io
Asked Answered
U

3

8

I am trying to verify a HS256 JWT Token generated with locally ran KeyCloak Authentication Provider on https://jwt.io.

The KeyCloack instance is running on my local machine inside a docker container. I have applied almost the same steps as described in this answer (which on contrary applies the RS algorithm instead, and works as described): https://mcmap.net/q/347829/-generate-jwt-token-in-keycloak-and-get-public-key-to-verify-the-jwt-token-on-a-third-party-platform

My validation procedure is very simple:

1.) Request the token (with Postman) from my local docker KeyCloak instance with: POST requesting http://localhost:8080/auth/realms/dev/protocol/openid-connect/token

2.) Copy the token contents inside the jwt.io's "Encoded" section

3.) I verify that the header and payload are as expected and correct

4.) I copy the client secret from my KeyCloak instance admin dashboard, you can see the reference on the image below:

enter image description here

5.) I paste the secret into the "VERIFY SIGNATURE" section on jwt.io and the "Encoded" token section changes, hence resulting with an invalid signature and a invalid (i.e. different) token.

My core question is what am I missing here? Why does the token change when I apply the expected secret!? Am I applying the right secret, the one from the client? If I understand JWT infrastructre and standard correctly then It should stay the same if the secret (with the expected algorithm applied) is valid. My reasoning is that something with JWT creation on KeyCloak is specific. I have not touched the HS256 algorithm provider on KeyCloak, everything is used as default with the docker installation guide on using KeyCloak. The settings related to the token and algorithm are setup to use HS256, and the algorithm is specified as expected in the JWT's header section correctly which can be verified after the encoded token is pasted into the jwt.io's page.

I need this to work as I am trying to apply the same JWT validation process inside a .NET Core web API application. I have encountered this whole issue in there, i.e. inside the System.IdentityModel.Tokens.JWT and the JwtSecurityTokenHandle.ValidateSignature method which results with an invalid signature and finally resulting in an exception.

On side note, I am accessing the token with Postman and its Authorize feature the configuration can be seen on the image below:

enter image description here

One more side note is I have a user "John" which belongs to my "Demo" realm. I use him to request an access token from KeyCloak.

Ulrick answered 22/10, 2019 at 9:37 Comment(4)
could you please post a screenshot from jwt.io?Antiworld
Unfortunately no at the moment, but understand that what I am telling is exactly what happens, the encoded part totally changes like the secret key used by KeyCloak is totally different oneKnott
Did you resolve this? I also have the same problemOverseer
@Overseer I did not solve this, we shifted to using the defaults of KeyCloak and use its default OAuth2 setup with RSA but we copied the public RSA key and used it with BouncyCastle lib to verify JWTs.Knott
D
2

I'm so late, but I found solution. As mentioned above we need to get shared secret from db using the query

select cc.name, value
from component_config cc
join component c on(cc.component_id = c.id)
where c.realm_id = 'aac4c0b6-1ddb-4585-bcf4-992358118554'
  and provider_id = 'hmac-generated'
  and cc.name = 'secret';

After that we can decode secret using Base64Url.java from keycloak and parse jwt token

String secret = "OJPhbtj4iGhRRuWQ...";
String token = "eyJhbGciOiJIUzUxMiIsInR5...";

Claims body = Jwts.parser()
            .setSigningKey(Base64Url.decode(secret))
            .parseClaimsJws(token)
            .getBody();
Detumescence answered 3/4, 2024 at 21:41 Comment(0)
P
5

To get the secret used for signing/verifying HS256 tokens, try using the following SQL:

SELECT value FROM component_config CC INNER JOIN component C ON(CC.component_id = C.id) WHERE C.realm_id = '<realm-id-here>' and provider_id = 'hmac-generated' AND CC.name = 'secret';

If you use the resulting secret to verify the tokens, the signature should match. I’m not sure if this secret is available through the UI, probably not.

Source: https://keycloak.discourse.group/t/invalid-signature-with-hs256-token/3228/3

Philosophy answered 22/10, 2020 at 14:13 Comment(1)
Never answered you here, but the production service is RHSSO (which is an extension to KeyCloak), inside an OpenShift cluster, and I can not access its database just like that. But nevertheless, thanks for the hint.Knott
D
2

I'm so late, but I found solution. As mentioned above we need to get shared secret from db using the query

select cc.name, value
from component_config cc
join component c on(cc.component_id = c.id)
where c.realm_id = 'aac4c0b6-1ddb-4585-bcf4-992358118554'
  and provider_id = 'hmac-generated'
  and cc.name = 'secret';

After that we can decode secret using Base64Url.java from keycloak and parse jwt token

String secret = "OJPhbtj4iGhRRuWQ...";
String token = "eyJhbGciOiJIUzUxMiIsInR5...";

Claims body = Jwts.parser()
            .setSigningKey(Base64Url.decode(secret))
            .parseClaimsJws(token)
            .getBody();
Detumescence answered 3/4, 2024 at 21:41 Comment(0)
M
1

you can try using Keycloak Gatekeeper. If you want to verify that token in that way you need to change the Client Authenticator to "Signed JWT with client secret", otherwise you can use this "Gatekeeper" option. Here you can read more about it.

Mccloskey answered 22/5, 2020 at 19:19 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.