英文:
Java offline validation of JWT access token from Keycloak
问题
以下是翻译好的部分:
从Keycloak获取已签名的JWT令牌,地址为:http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token:
{"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJqQThGdzdhRk1rTGhGc2......","expires_in": 300,"refresh_expires_in": 1800,"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIzMWRjZTBjNS01MGU0LTQxZjMtODAxNC1kMTcyMjdk....","token_type": "bearer","not-before-policy": 0,"session_state": "bd1728eb-ceda-43cf-a6e6-d637ba0da5e3","scope": "email profile"}
因此,访问令牌为:
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJqQThGdzdhRk1rTGhGc2......
我从Keycloak查询:http://localhost:8080/auth/realms/Myrealm/:
{"realm": "MyRealm","public_key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKQF8ewcJ/pDzhgzbTfFCoS1FLjZyO5z7CbmeWl.......","token-service": "http://localhost:8080/auth/realms/Myrealm/protocol/openid-connect","account-service": "http://localhost:8080/auth/realms/Myrealm/account","tokens-not-before": 0}
因此,公钥为:
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKQF8ewcJ/pDzhgzbTfFCoS1FLjZyO5z7CbmeWl.......
现在我正在尝试进行离线验证,代码如下:
import java.security.KeyFactory;import java.security.spec.X509EncodedKeySpec;import java.security.PublicKey;String keyFromKeycloak = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKQF8ewcJ/pDzhgzbTfFCoS1FLjZyO5z7CbmeWl.......";byte[] bytes = keyFromKeycloak.getBytes();KeyFactory factory = KeyFactory.getInstance("RSA");X509EncodedKeySpec encodedKeySpec = new X509EncodedKeySpec(bytes);PublicKey pk = factory.generatePublic(encodedKeySpec);
但是我遇到了无效密钥的异常:
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: invalid key formatat java.base/sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:239)at java.base/java.security.KeyFactory.generatePublic(KeyFactory.java:352)Caused by: java.security.InvalidKeyException: invalid key formatat java.base/sun.security.x509.X509Key.decode(X509Key.java:386)at java.base/sun.security.x509.X509Key.decode(X509Key.java:401)at java.base/sun.security.rsa.RSAPublicKeyImpl.<init>(RSAPublicKeyImpl.java:122)at java.base/sun.security.rsa.RSAKeyFactory.generatePublic(RSAKeyFactory.java:330)at java.base/sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:235)... 3 more
我需要PublicKey对象以便验证访问令牌,代码如下:
Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) pk,null);JWTVerifier verifier = JWT.require(algorithm).build();DecodedJWT jwt = verifier.verify(token);
出了什么问题?我看到很多示例中都使用了这段代码,所以我怀疑问题可能出在密钥本身上。
英文:
I get a signed JWT token from Keycloak http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token:
{"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJqQThGdzdhRk1rTGhGc2......","expires_in": 300,"refresh_expires_in": 1800,"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIzMWRjZTBjNS01MGU0LTQxZjMtODAxNC1kMTcyMjdk....","token_type": "bearer","not-before-policy": 0,"session_state": "bd1728eb-ceda-43cf-a6e6-d637ba0da5e3","scope": "email profile"}
So the access token is:
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJqQThGdzdhRk1rTGhGc2......
I query Keycloak for http://localhost:8080/auth/realms/Myrealm/:
{"realm": "MyRealm","public_key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKQF8ewcJ/pDzhgzbTfFCoS1FLjZyO5z7CbmeWl.......","token-service": "http://localhost:8080/auth/realms/Myrealm/protocol/openid-connect","account-service": "http://localhost:8080/auth/realms/Myrealm/account","tokens-not-before": 0}
So the public key is:
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKQF8ewcJ/pDzhgzbTfFCoS1FLjZyO5z7CbmeWl.......
Now I'm trying to do an offline validation as follows:
import java.security.KeyFactory;import java.security.spec.X509EncodedKeySpec;import java.security.PublicKey;String keyFromKeycloak = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKQF8ewcJ/pDzhgzbTfFCoS1FLjZyO5z7CbmeWl.......";byte[] bytes = keyFromKeycloak.getBytes();KeyFactory factory = KeyFactory.getInstance("RSA");X509EncodedKeySpec encodedKeySpec = new X509EncodedKeySpec(bytes);PublicKey pk = factory.generatePublic(encodedKeySpec);
But I get an exception for invalid key:
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: invalid key formatat java.base/sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:239)at java.base/java.security.KeyFactory.generatePublic(KeyFactory.java:352)Caused by: java.security.InvalidKeyException: invalid key formatat java.base/sun.security.x509.X509Key.decode(X509Key.java:386)at java.base/sun.security.x509.X509Key.decode(X509Key.java:401)at java.base/sun.security.rsa.RSAPublicKeyImpl.<init>(RSAPublicKeyImpl.java:122)at java.base/sun.security.rsa.RSAKeyFactory.generatePublic(RSAKeyFactory.java:330)at java.base/sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:235)... 3 more
I need the PublicKey object in order to validate the access token as follows:
Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) pk,null);JWTVerifier verifier = JWT.require(algorithm).build();DecodedJWT jwt = verifier.verify(token);
What is wrong? I see a lot the examples with this code so I suspect the problem is with the key itself.
答案1
得分: 4
你的keyFromKeycloak字符串是一个经过Base64编码的DER SubjectPublicKeyInfo。你应该先对其进行解码,然后将其传递给X509EncodedKeySpec构造函数:
String keyFromKeycloak = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKQF8ewcJ/pDzhgzbTfFCoS1FLjZyO5z7CbmeWl.......";byte[] keyBytes = Base64.getDecoder().decode(keyFromKeycloak);X509EncodedKeySpec encodedKeySpec = new X509EncodedKeySpec(keyBytes);
英文:
Your keyFromKeycloak String is a Base64 encoded DER SubjectPublicKeyInfo. You should first decode it and then pass it to the X509EncodedKeySpec constructor :
String keyFromKeycloak = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKQF8ewcJ/pDzhgzbTfFCoS1FLjZyO5z7CbmeWl.......";byte[] keyBytes = Base64.getDecoder().decode(keyFromKeycloak);X509EncodedKeySpec encodedKeySpec = new X509EncodedKeySpec(keyBytes);
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论