问题
I am using keycloak to secure my rest service and I am able to get the token , but when I am using this token for to get my rest service response, getting following error:
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache, no-store, must-revalidate, private
X-Powered-By: Undertow/1
X-XSS-Protection: 1; mode=block
Server: WildFly/11
X-Frame-Options: SAMEORIGIN
Date: Wed, 30 Jan 2019 07:42:45 GMT
Connection: keep-alive
WWW-Authenticate: Bearer realm="demorealm", error="invalid_token", error_description="Didn't find publicKey for specified kid"
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=UTF-8
Content-Length: 71
<html><head><title>Error</title></head><body>Unauthorized</body></html>
I followed below links but didn't get any output to solve this problem.
keycloak bearer token error - Didn't find publicKey for specified kid
Didn't find publicKey for kid ,Keycloak?
Edit 1 -
As per the detail token is properly generating with following command
curl -X POST -k -H 'Content-Type: application/x-www-form-urlencoded' -i 'https://<IP-ADDRESS>/auth/realms/apirealm/protocol/openid-connect/token' --data 'username=cwlcadmin&password=password@123&client_id=api-client-id&grant_type=password&client_secret=a682049d-587c-4c38-a594-814f08b0ca76'a@123&client_id=api-client-id
But when using this token hitting to rest-api,above declare exception is coming
curl -X GET -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJpeVlweXZtQU9Sc2RtNXlibWNqWUVSRUxJTnVFR2RNOThDeFVMSmdUTHFvIn0.eyJqdGkiOiJkZWQ4YzAzNC02NDM2LTRmNDAtYjZlNC0zYTI3MzcyNDJkODYiLCJleHAiOjE1NDg4NDUzMTQsIm5iZiI6MCwiaWF0IjoxNTQ4ODQzNTE0LCJpc3MiOiJodHRwczovLzEwLjUzLjIwMS4yMDcvYXV0aC9yZWFsbXMvYXBpcmVhbG0iLCJhdWQiOiJhcGktY2xpZW50LWlkIiwic3ViIjoiZjo4OWYzMDE0MC1kNTBjLTQ4ZjMtODIyYi02YmM1YTFkYjM3Yzg6MSIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFwaS1jbGllbnQtaWQiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiI0MWY4ZDU0MS1iZWQxLTQ4MjktOTM4ZC0xNjUxYmZlNzFkZTYiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHBzOi8vMTAuNTMuMjAxLjIwNyJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfSwiYXBpLWNsaWVudC1pZCI6eyJyb2xlcyI6WyJyZXN0Il19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoicHEvSmJRPT0gaEp6b1J5QT0iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJjd2xjYWRtaW4iLCJnaXZlbl9uYW1lIjoicHEvSmJRPT0iLCJmYW1pbHlfbmFtZSI6ImhKem9SeUE9IiwiZW1haWwiOiJ0NWZxV2c3TjF3aUVWaGIxVlEwPSJ9.mPVPVdoRpwXU5Im9E8tlLz3DMrM8NrJ-oRiRZL0hceaszU0H58ca2HKhrtncY2WzCxidcuPPxb1fIh3XNR7C-Q-ifOS4VaIbAbH3pAehmhuBqu0gq3LAfVw8vBWVClVP1iKtPOz4cGeKqGQpKRRO1f8epSihVnRe3NWk1WVaD63jexc0EqawZpY-DqH1VDf5xpz8BY4UUqAAfAq0X6kZ7kBoqoiHFofS5eZJHx1mbN-N6qiCwGSwXP-V6JucoBygmqVDkoNCS9Ebx9DyQlXHStSd_KGbCLeIgMlYVPB8vsUy55IcrZGNJWVFsWcvudqTXwW2Tg8BBq-tsFkVuABs5w' -H 'Content-Type: application/json' -i 'https://<IP-ADDRESS>/api/v2/0/zones'
FYI - Using Wildfly and Load-balancer also which is provided by Wildfly
回答1:
At last after couple of days struggle we are able to resolve the issue and issue with the Subsystem added in Wildfly server ,it should be like this
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="sure-admin-web.war">
<realm>Realm_Name</realm>
<resource>CLIENT_APP</resource>
<use-resource-role-mappings>true</use-resource-role-mappings>
<auth-server-url>https://<KEYCLOAK-IP>:8666/auth/</auth-server-url>
<ssl-required>NONE</ssl-required>
<credential name="secret">7df18c0d-d4c7-47b1-b959-af972684dab0</credential>
</secure-deployment>
</subsystem>
in our case we missed <ssl-required>NONE</ssl-required> and in <auth-server-url> we added wrong load-balancer url while it should be Keycloak URL.
FYI - Load-Balancer in working on HTTPS while keycloak running on http
来源:https://stackoverflow.com/questions/54437318/keycloak-invalid-token-didnt-find-publickey-for-specified-kid