Reputation: 1706
Didn't find publicKey for kid ,Keycloak?
I am getting this exception "Didn't find publicKey for kid" while calling endpoint from angular js 2 to the widlfly server .
authentication happened in keycloak , however i am calling about 8 endpoints from different clients (different micro services ) within same realm using same token but i got this exception only for this microservice call .
i am sure that the user has all roles for all clients . i also decoded the token on JWT to verify that.
sometimes it works and sometimes no!! this the exception stack trace :
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:90)
at sun.security.validator.Validator.getInstance(Validator.java:179)
at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:312)
at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:171)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:184)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
... 55 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:88)
... 67 more
2017-06-09 00:33:35,994 ERROR [org.keycloak.adapters.rotation.AdapterRSATokenVerifier] (default task-445) Didn't find publicKey for kid: QSm64gYAxG5-5Lt5r-T2dqQmHb8KKJ2dL3h_3Y8zXBE
2017-06-09 00:33:35,994 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-445) Failed to verify token: org.keycloak.common.VerificationException: Didn't find publicKey for specified kid
at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(AdapterRSATokenVerifier.java:47)
at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:55)
at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:37)
at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:87)
at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:82)
at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:67)
at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Upvotes: 27
Views: 50070
Answers (6)
Reputation: 376
In my case, the authentication error occurred because I put the staging server token. The error disappeared when I applied the token in the production environment. There is a high possibility that it is a problem with the issued jwt token.
Upvotes: 0
Reputation: 6950
In my case this problem was being caused by old browser tabs or windows. More specifically, I often restart my application without closing the tab/window which was running the front end. As a result the new instance of the application running a new instance of Keycloak opens a new browser tab but keeps receiving requests from the old tab/window which yields the old bearer token. The error stops appearing in the logs once those tabs and windows are closed. Although this is trivial it is quite easy to miss.
Upvotes: 0
Reputation: 794
This could also be caused by using the wrong token for authentication.
The ID token is signed with HS256 (HMAC), while the access token uses RS256 (RSA). Using the ID token instead of the access token can cause the error message above.
Upvotes: 4
Reputation: 1103
In my experience this is usually an issue of the client application being unable to access the jwks_uri endpoints of the keycloak server.
You can rule this out by explicitly specifying "realm-public-key" which will "hard code" the value. https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/java/java-adapter-config.adoc
You can also terminal into your application container and make sure you can curl these endpoints. Be sure to verify that this matches your auth-server configuration in your adapter.
http://localhost:8080/auth/realms/master/protocol/openid-connect/certs
http://localhost:8080/auth/realms/master/protocol/openid-connect/certs
Upvotes: 6
Reputation: 31
I believe what @buderu meant is that you have to make sure your realm and client configuration on your application matches the one on Keycloak. As @Anunay commented, depending on your Keycloak version, you will need to specify your public key.
Note that if your client is bearer only, you will need to provide its secret.
My configs (Keycloak v6.0.1) are something like:
keycloak:
realm: master
auth-server-url: http://127.0.0.1:8080/auth
resource: my-client-name
bearer-only: true
credentials:
secret: 3892g8m5-0c5e-498e-95v1-330q970b22e7
# Keycloak Enable CORS
cors: true
Upvotes: 1
Reputation: 445
If this is still relevant, I had the same problem. In my case the problem was that in Keycloak the client name was not configured correctly. After correcting the client name within Keycloak everything works great.
Upvotes: 10
Related Questions
- What does didn't find publicKey for kid error mean in Keycloak
- cannot create user in the keycloak. Getting 403 status
- Keycloak invalid_token Didn't find publicKey for specified kid
- Keycloak Create Client
- Keycloak Provider not found
- KEYCLOAK: Client secret not provided in request
- Getting user keycloak Not Found exception
- Keycloak - Didn't find publicKey for specified kid
- Keycloak unable to get access token
- Keycloak error invalid_client Bearer only not allowed