Pushed Authorization Request only working with RS256?

Securing applications
1

Hi, using keycloak 15.0.2 image and i cannot get any algorithm to authenticate other than RS256.

i am using PAR for client requests, works fine when using an RS256 token but not others (ES256, PS256). i dont have any fapi profiles enforced on the realm (that would enforce these algo’s)

i’m using this to create PS256 private key:

openssl genpkey -algorithm RSA-PSS -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_mgf1_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 -out bff-client.key

Error looks like this:

11:33:32,133 WARN  [org.keycloak.events] (default task-60) type=PUSHED_AUTHORIZATION_REQUEST_ERROR, realmId=bff, clientId=bff_client, userId=null, ipAddress=10.0.2.100, error=invalid_request, detail='Authentication failed.'
11:34:58,879 ERROR [org.keycloak.services] (default task-62) KC-SERVICES0025: Error when validating client assertion: java.lang.RuntimeException: Signature on JWT token failed validation
	at org.keycloak.keycloak-services@15.0.2//org.keycloak.authentication.authenticators.client.JWTClientAuthenticator.authenticateClient(JWTClientAuthenticator.java:160)
	at org.keycloak.keycloak-services@15.0.2//org.keycloak.authentication.ClientAuthenticationFlow.processFlow(ClientAuthenticationFlow.java:72)
	at org.keycloak.keycloak-services@15.0.2//org.keycloak.authentication.AuthenticationProcessor.authenticateClient(AuthenticationProcessor.java:861)
	at org.keycloak.keycloak-services@15.0.2//org.keycloak.protocol.oidc.utils.AuthorizeClientUtil.authorizeClient(AuthorizeClientUtil.java:51)
	at org.keycloak.keycloak-services@15.0.2//org.keycloak.protocol.oidc.par.endpoints.AbstractParEndpoint.authorizeClient(AbstractParEndpoint.java:66)
	at org.keycloak.keycloak-services@15.0.2//org.keycloak.protocol.oidc.par.endpoints.ParEndpoint.request(ParEndpoint.java:90)
	at jdk.internal.reflect.GeneratedMethodAccessor802.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
2

i also found this which seems related
https://issues.redhat.com/browse/KEYCLOAK-19094

Cheers

3

i managed to get things working only by setting a jwks url and serving up the public cert:

$ curl -vvv -H’accept: /’ -k localhost:7080/tokenhandler/jwk

  • Trying ::1:7080…
  • Connected to localhost (::1) port 7080 (#0)

GET /tokenhandler/jwk HTTP/1.1
Host: localhost:7080
User-Agent: curl/7.76.1
accept: /

  • Mark bundle as not supporting multiuse
    < HTTP/1.1 200 OK
    < Content-Security-Policy: “default-src ‘self’;”
    < X-Content-Type-Options: nosniff
    < transfer-encoding: chunked
    < Content-Type: application/json
    <
    {
    “keys”: [
    {
    “use”: “sig”,
    “alg”: “PS256”,
    “e”: “AQAB”,
    “key_ops”: [
    “verify”
    ],
    “kty”: “RSA”,
    “n”: “wjR3QgMtHb0Nk7bsQ5-w45hqD0cyjixBBESn0d_ZQFzxGFqL0F9X9Otg1P5H67oo56jkOeSoPLc5yv9APR-Yu4xaYnd96qcM1lzxoDCRFCJgtgR01z42Kf4k69kxMc3hQxGDdWlZRdsifeuzTFYzfOo5MyWY4QQtSQiDQDICs1gaohWZ6gsX252deVkpFOKJI3hU8jtQsosUr1JZPOWwCKzZ3-AhsXlRLSbkRcpU_VvUWN-QJgeBv_Ejj-_3i_3PcThgqK-zZEyZSc6z3NoxBSOX7y7M2XNboH9ePSh1VqbkO7UZUXUTTssFixmBp9f-sHofvBg556qWlkCO8_vlFQ”
    }
    ]
  • Connection #0 to host localhost left intact
    }

i debugged the keycloak server, and it seems that when decoding the signature for verification there is a padding error which i couldn’t get around. i.e. if i upload this public JWT KeySet, which gets converted into a PEM in Keycloak … it then fails to verify the signature.