3

I'm configuring an external identity provider in my Keycloak instance and trying to get it to validate the tokens using a external JWKS URL. Using the converted PEM from JWKS works fine, the using the URL is not working.

The token validation fails upon login with the following message:

[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-4) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: token signature validation failed

I debugged the Keycloak server get more on the problem and found a "problem" in class JWKSUtils:

/**
 * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
 */
public class JWKSUtils {
    //...
    public static Map<String, KeyWrapper> getKeyWrappersForUse(JSONWebKeySet keySet, JWK.Use requestedUse) {
        Map<String, KeyWrapper> result = new HashMap<>();
        for (JWK jwk : keySet.getKeys()) {
            JWKParser parser = JWKParser.create(jwk);
            if (jwk.getPublicKeyUse().equals(requestedUse.asString()) && parser.isKeyTypeSupported(jwk.getKeyType())) {
                KeyWrapper keyWrapper = new KeyWrapper();
                keyWrapper.setKid(jwk.getKeyId());
                keyWrapper.setAlgorithm(jwk.getAlgorithm());
                keyWrapper.setType(jwk.getKeyType());
                keyWrapper.setUse(getKeyUse(jwk.getPublicKeyUse()));
                keyWrapper.setVerifyKey(parser.toPublicKey());
                result.put(keyWrapper.getKid(), keyWrapper);
            }
        }
        return result;
    }
    //...
}

The if fails with a NullPointerException because the call jwk.getPublicKeyUse() returns null.

But I found out that it's null because the JWKS URL returns a single key without the attribute use, which is optional according to the specification. [https://www.rfc-editor.org/rfc/rfc7517#section-4.2]

Keycloak only accepts JWKS URLs that return all keys with the attribute use defined. But the IdP I'm trying to connect does not return that attribute in the key.

Given that situation, to who should I file an issue, the IdP or to Keycloak? Or is there something I'm doing wrong in the configuration?

Community
  • 1
  • 1
Daniel Lemos de Morais
  • 111
  • 5
  • 1
    As a workaround, I created a custom endpoint on my Keycloak instance that requests the IdP JWKS, adds the missing attribute and responds with the new JWKS built. It solved the problem, but not answered the original question. – Daniel Lemos de Morais Nov 20 '19 at 15:14

1 Answers1

0

I filed an issue with Keycloak about this exact problem in August 2019.

Their answer:

Consuming keys without validating alg and use is dangerous as such Keycloak requires these to be present.

In my case, I contacted the IdP and they were able to populate the "use" parameter. If that is not an option, then you're pretty much stuck with your workaround.

Phil Brown
  • 361
  • 1
  • 7