Keycloak invalid_token 没有找到指定孩子的公钥 [英] Keycloak invalid_token Didn't find publicKey for specified kid

问题描述

我正在使用 keycloak 来保护我的休息服务并且我能够获得令牌，但是当我使用这个令牌来获得我的休息服务响应时，出现以下错误:

HTTP/1.1 401 未授权缓存控制:无缓存、无存储、必须重新验证、私有X-Powered-By: Undertow/1X-XSS-保护:1；模式=块服务器:WildFly/11X-Frame-Options: SAMEORIGIN日期:2019 年 1 月 30 日，星期三 07:42:45 GMT连接:保持连接WWW-Authenticate: Bearer realm="demorealm", error="invalid_token", error_description="没有找到指定孩子的公钥"X-Content-Type-Options: nosniff内容类型:文本/html；字符集=UTF-8内容长度:71<html><head><title>错误</title></head><body>未授权</body></html>

我按照以下链接操作，但没有得到解决此问题的任何输出.

keycloak 不记名令牌错误 - 未找到指定孩子的公钥

没有找到孩子的公钥，Keycloak?

编辑 1 -

根据使用以下命令正确生成详细令牌

curl -X POST -k -H 'Content-Type: application/x-www-form-urlencoded' -i 'https://<IP-ADDRESS>/auth/realms/apirealm/protocol/openid-connect/token' --data 'username=cwlcadmin&password=password@123&client_id=api-client-id&grant_type=password&client_secret=a682049d-587c-4c38-a594-814f08b0ca23_amp;a@1= api-client-id

但是当使用这个令牌命中rest-api时，上面声明异常来了

<预> <代码>卷曲-X GET -k -H授权:承载eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJpeVlweXZtQU9Sc2RtNXlibWNqWUVSRUxJTnVFR2RNOThDeFVMSmdUTHFvIn0.eyJqdGkiOiJkZWQ4YzAzNC02NDM2LTRmNDAtYjZlNC0zYTI3MzcyNDJkODYiLCJleHAiOjE1NDg4NDUzMTQsIm5iZiI6MCwiaWF0IjoxNTQ4ODQzNTE0LCJpc3MiOiJodHRwczovLzEwLjUzLjIwMS4yMDcvYXV0aC9yZWFsbXMvYXBpcmVhbG0iLCJhdWQiOiJhcGktY2xpZW50LWlkIiwic3ViIjoiZjo4OWYzMDE0MC1kNTBjLTQ4ZjMtODIyYi02YmM1YTFkYjM3Yzg6MSIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFwaS1jbGllbnQtaWQiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiI0MWY4ZDU0MS1iZWQxLTQ4MjktOTM4ZC0xNjUxYmZlNzFkZTYiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHBzOi8vMTAuNTMuMjAxLjIwNyJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfSwiYXBpLWNsaWVudC1pZCI6eyJyb2xlcyI6WyJyZXN0Il19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoicHEvSmJRPT0gaEp6b1J5QT0iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJjd2xjYWRtaW4iLCJnaXZlbl9uYW1lIjoicHEvSmJRPT0iLCJmYW1pbHlfbmFtZSI6ImhKem9SeUE9IiwiZW1haWwiOiJ0NWZxV2c3TjF3aUVWaGIxVlEwPSJ9.mPVPVdoRpwXU5Im9E8tlLz3DMrM8NrJ-oRiRZL0hceaszU0H58ca2HKhrtncY2WzCxidcuPPxb1fIh3XNR7C-Q-ifOS4VaIbAbH3pAehmhuBqu0gq3LAfVw8vBWVClVP1iKtPOz4cGeKqGQpKRRO1f8epSihVnRe3NWk1WVaD63jexc0EqawZpY-DqH1VDf5xpz8BY4UUqAAfAq0X6kZ7kBoqoiHFofS5eZJHx1mbN-N6qiCwGSwXP-V6JucoBygmqVDkoNCS9Ebx9DyQlXHStSd_KGbCLeIgMlYVPB8vsUy55IcrZGNJWVFsWcvudqTXwW2Tg8BBq-tsFkVuABs5w '-H '内容 - 类型:应用/JSON' -i的' https://< IP-地址>/API/V2/0/区'

仅供参考 - 使用 Wildfly 和由 Wildfly 提供的负载均衡器

解决方案

最后经过几天的努力，我们能够解决问题，并且 Wildfly 服务器中添加的子系统问题，应该是这样的

<secure-deployment name="sure-admin-web.war"><realm>Realm_Name</realm><resource>CLIENT_APP</resource><use-resource-role-mappings>true</use-resource-role-mappings><auth-server-url>https://<KEYCLOAK-IP>:8666/auth/</auth-server-url><ssl-required>NONE</ssl-required><credential name="secret">7df18c0d-d4c7-47b1-b959-af972684dab0</credential></安全部署></子系统>

在我们的例子中，我们错过了 NONE 并且在 中我们添加了错误的负载-平衡器网址，而它应该是 Keycloak 网址.

仅供参考 - 负载均衡器在 HTTPS 上工作，而 keycloak 在 http

上运行

I am using keycloak to secure my rest service and I am able to get the token , but when I am using this token for to get my rest service response, getting following error:

HTTP/1.1 401 Unauthorized
Cache-Control: no-cache, no-store, must-revalidate, private
X-Powered-By: Undertow/1
X-XSS-Protection: 1; mode=block
Server: WildFly/11
X-Frame-Options: SAMEORIGIN
Date: Wed, 30 Jan 2019 07:42:45 GMT
Connection: keep-alive
WWW-Authenticate: Bearer realm="demorealm", error="invalid_token", error_description="Didn't find publicKey for specified kid"
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=UTF-8
Content-Length: 71
<html><head><title>Error</title></head><body>Unauthorized</body></html>

I followed below links but didn't get any output to solve this problem.

keycloak bearer token error - Didn't find publicKey for specified kid

Didn't find publicKey for kid ,Keycloak?

Edit 1 -

As per the detail token is properly generating with following command

curl -X POST -k -H 'Content-Type: application/x-www-form-urlencoded' -i 'https://<IP-ADDRESS>/auth/realms/apirealm/protocol/openid-connect/token' --data 'username=cwlcadmin&password=password@123&client_id=api-client-id&grant_type=password&client_secret=a682049d-587c-4c38-a594-814f08b0ca76'a@123&client_id=api-client-id

But when using this token hitting to rest-api,above declare exception is coming

curl -X GET -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJpeVlweXZtQU9Sc2RtNXlibWNqWUVSRUxJTnVFR2RNOThDeFVMSmdUTHFvIn0.eyJqdGkiOiJkZWQ4YzAzNC02NDM2LTRmNDAtYjZlNC0zYTI3MzcyNDJkODYiLCJleHAiOjE1NDg4NDUzMTQsIm5iZiI6MCwiaWF0IjoxNTQ4ODQzNTE0LCJpc3MiOiJodHRwczovLzEwLjUzLjIwMS4yMDcvYXV0aC9yZWFsbXMvYXBpcmVhbG0iLCJhdWQiOiJhcGktY2xpZW50LWlkIiwic3ViIjoiZjo4OWYzMDE0MC1kNTBjLTQ4ZjMtODIyYi02YmM1YTFkYjM3Yzg6MSIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFwaS1jbGllbnQtaWQiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiI0MWY4ZDU0MS1iZWQxLTQ4MjktOTM4ZC0xNjUxYmZlNzFkZTYiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHBzOi8vMTAuNTMuMjAxLjIwNyJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfSwiYXBpLWNsaWVudC1pZCI6eyJyb2xlcyI6WyJyZXN0Il19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoicHEvSmJRPT0gaEp6b1J5QT0iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJjd2xjYWRtaW4iLCJnaXZlbl9uYW1lIjoicHEvSmJRPT0iLCJmYW1pbHlfbmFtZSI6ImhKem9SeUE9IiwiZW1haWwiOiJ0NWZxV2c3TjF3aUVWaGIxVlEwPSJ9.mPVPVdoRpwXU5Im9E8tlLz3DMrM8NrJ-oRiRZL0hceaszU0H58ca2HKhrtncY2WzCxidcuPPxb1fIh3XNR7C-Q-ifOS4VaIbAbH3pAehmhuBqu0gq3LAfVw8vBWVClVP1iKtPOz4cGeKqGQpKRRO1f8epSihVnRe3NWk1WVaD63jexc0EqawZpY-DqH1VDf5xpz8BY4UUqAAfAq0X6kZ7kBoqoiHFofS5eZJHx1mbN-N6qiCwGSwXP-V6JucoBygmqVDkoNCS9Ebx9DyQlXHStSd_KGbCLeIgMlYVPB8vsUy55IcrZGNJWVFsWcvudqTXwW2Tg8BBq-tsFkVuABs5w' -H 'Content-Type: application/json' -i 'https://<IP-ADDRESS>/api/v2/0/zones'

FYI - Using Wildfly and Load-balancer also which is provided by Wildfly

解决方案

At last after couple of days struggle we are able to resolve the issue and issue with the Subsystem added in Wildfly server ,it should be like this

<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
            <secure-deployment name="sure-admin-web.war">
                <realm>Realm_Name</realm>
                <resource>CLIENT_APP</resource>
                <use-resource-role-mappings>true</use-resource-role-mappings>
                <auth-server-url>https://<KEYCLOAK-IP>:8666/auth/</auth-server-url>
                <ssl-required>NONE</ssl-required>
                <credential name="secret">7df18c0d-d4c7-47b1-b959-af972684dab0</credential>
            </secure-deployment>
        </subsystem>

in our case we missed <ssl-required>NONE</ssl-required> and in <auth-server-url> we added wrong load-balancer url while it should be Keycloak URL.

FYI - Load-Balancer in working on HTTPS while keycloak running on http

这篇关于Keycloak invalid_token 没有找到指定孩子的公钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！