Didn't find publicKey for kid ,Keycloak?

Question

I am getting this exception "Didn't find publicKey for kid" while calling endpoint from angular js 2 to the widlfly server .

authentication happened in keycloak , however i am calling about 8 endpoints from different clients (different micro services ) within same realm using same token but i got this exception only for this microservice call .

i am sure that the user has all roles for all clients . i also decoded the token on JWT to verify that.

sometimes it works and sometimes no!! this the exception stack trace :

Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:90)
    at sun.security.validator.Validator.getInstance(Validator.java:179)
    at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:312)
    at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:171)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:184)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
    ... 55 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
    at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
    at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
    at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:88)
    ... 67 more

2017-06-09 00:33:35,994 ERROR [org.keycloak.adapters.rotation.AdapterRSATokenVerifier] (default task-445) Didn't find publicKey for kid: QSm64gYAxG5-5Lt5r-T2dqQmHb8KKJ2dL3h_3Y8zXBE
2017-06-09 00:33:35,994 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-445) Failed to verify token: org.keycloak.common.VerificationException: Didn't find publicKey for specified kid
    at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(AdapterRSATokenVerifier.java:47)
    at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:55)
    at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:37)
    at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:87)
    at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:82)
    at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:67)
    at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
    at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)
    at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
    at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
    at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
    at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
    at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
    at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
    at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
    at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
    at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
    at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)

Can you check your keycloak.json and what version of keycloak are you using. In 2.4.0 (and maybe beyond) public key is not added to json by default. You need to copy it from master realm inside realm settings -> keys — Anunay, Feb 05 '18 at 03:43

score 7 · Answer 1 · answered Feb 04 '18 at 11:39

7

If this is still relevant, I had the same problem. In my case the problem was that in Keycloak the client name was not configured correctly. After correcting the client name within Keycloak everything works great.

answered Feb 04 '18 at 11:39

buderu

319
3
13

9

can you be more specific? – Tiago Santos Oct 19 '18 at 10:34
5

Can you specify more? Was your error was type in client_id or something else? – Menuka Ishan Jan 23 '19 at 09:57
4

what did you do? How does this answer get so many upvotes? It literaly doesn't provide any answer – Sophie Roseinsta Mar 29 '20 at 22:42
I had the same problem and I had a typo in the `client_id` declared in my API environment variables. I think this was the same for @buderu. @LongNguyen check if all of your configuration is correct. – HasBert Jul 27 '20 at 10:11

score 0 · Answer 2 · answered May 11 '20 at 15:34

I believe what @buderu meant is that you have to make sure your realm and client configuration on your application matches the one on Keycloak. As @Anunay commented, depending on your Keycloak version, you will need to specify your public key.

Note that if your client is bearer only, you will need to provide its secret.

My configs (Keycloak v6.0.1) are something like:

keycloak:
  realm: master
  auth-server-url: http://127.0.0.1:8080/auth
  resource: my-client-name
  bearer-only: true
  credentials:
    secret: 3892g8m5-0c5e-498e-95v1-330q970b22e7
# Keycloak Enable CORS
  cors: true

score 0 · Answer 3 · answered May 12 '20 at 07:07

In my experience this is usually an issue of the client application being unable to access the jwks_uri endpoints of the keycloak server.

You can rule this out by explicitly specifying "realm-public-key" which will "hard code" the value. https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/java/java-adapter-config.adoc

You can also terminal into your application container and make sure you can curl these endpoints. Be sure to verify that this matches your auth-server configuration in your adapter.

http://localhost:8080/auth/realms/master/protocol/openid-connect/certs http://localhost:8080/auth/realms/master/protocol/openid-connect/certs

score 0 · Answer 4 · answered Sep 29 '20 at 13:26

0

This could also be caused by using the wrong token for authentication.

The ID token is signed with HS256 (HMAC), while the access token uses RS256 (RSA). Using the ID token instead of the access token can cause the error message above.

answered Sep 29 '20 at 13:26

ojathelonius

353
3
16

score 0 · Answer 5 · answered Apr 27 '21 at 09:52

In my case this problem was being caused by old browser tabs or windows. More specifically, I often restart my application without closing the tab/window which was running the front end. As a result the new instance of the application running a new instance of Keycloak opens a new browser tab but keeps receiving requests from the old tab/window which yields the old bearer token. The error stops appearing in the logs once those tabs and windows are closed. Although this is trivial it is quite easy to miss.

Didn't find publicKey for kid ,Keycloak?

5 Answers5

Linked