Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Invalid signature on token received through docker-v2 protocol

See original GitHub issue

Describe the bug

The token received after authenticating through docker-v2 protocol within RH-SSO 7.5.0 has invalid signature per jwt.io

Version

Keycloak 15.0.1 / RH-SSO 7.5.0

Expected behavior

There should not be invalid signature error.

Actual behavior

The token received has invalid signature.

How to Reproduce?

Run RH-SSO with docker feature flag enabled.

standalone.sh -Dkeycloak.profile.feature.docker=enabled
Create a client for e.g docker-registry in master realm that supports docker-v2 protocol.
Add a user within master realm and assign username and password.
Query docker protocol through and obtain access token.

curl -u ${username}:${password} 'http://localhost:8080/auth/realms/master/protocol/docker-v2/auth?service=${client_id}

Here is a test token obtained after authentication. Pasting this token into jwt.io invalid signature. I’m not sure if the format is invalid given the actual signature verification requires public key.

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJISEtUOkNJUUk6NTdIUTpWRkFJOjRUWDI6UURYTjpUQ1Y3OlVRS046VFBBTTpOQ0xVOlhFVE06Q0IyWCJ9.eyJleHAiOjE2NDMxMzczMTcsIm5iZiI6MTY0MzEzNzI1NywiaWF0IjoxNjQzMTM3MjU3LCJqdGkiOiIzYTAwYTRhZS1jNzc2LTQ4NzYtYmI0OC1kYjI0MWE0YzMwN2UiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoiZG9ja2VyLXJlZ2lzdHJ5Iiwic3ViIjoidGVzdC11c2VyIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZG9ja2VyLXJlZ2lzdHJ5IiwiYWNjZXNzIjpbXX0.NyJhwRQqaMzP8fOFId-GjFvcR5xy6-QUF54HgLsPM9471ttUjHJFJFcBk00JUk8k_-vO6kn7dHHiO9997ZU11eyHvSZbR0ZJkxo8ZnInWv_9jau2utbb0WnukwflGb5dG91XymKZGGBRlRAHIlBdo8HTmgidR8sVqKeELe53qCjkTcoaf7Gz4oCoAUyudInQ2bfHzHCmDnxKhYe2OlMN15x655ofiB7K_Cg5OqsunjOuY64G3AYzbk0h66Cp75d__Z5hSluxh9XY7X5GBF3OpN5miAJWrZihZVlLKkzQcuikEGMEJA5fkZ43wDqFIqjDvoV9senrgbKmobXMcVumMQ

Anything else?

No response

Issue Analytics

State:
Created 2 years ago
Comments:16 (15 by maintainers)

Top GitHub Comments

1reaction

stianstcommented, Feb 1, 2022

By the way I have to say this it’s stupid that docker doesn’t just use a standard

0reactions

mposoldacommented, May 25, 2022

@alechenninger @bhushanthakur93 I am triaging this with label “Help wanted” as I don’t consider it as a priority. However if you guys are still interested in this, we can restore the discussion and hopefully you can contribute fixing this. WDYT?

Top Results From Across the Web

Acquired tokens have invalid signature · Issue #521 - GitHub

When I get a token from AAD, it's signature is invalid. I'm not actually sure whether it's an issue from msal or something...

Troubleshooting Authentication Issues with registry.redhat.io

If using user credentials please ensure they are correct by attempting a new login to the Red Hat Customer Portal. If using a...

Why does jwt.verify() give "invalid signature"?

Describes how to validate an access token. it mentions that if you're specifying the wrong key to verify against you'll get that error:....

Always getting invalid signature in jwt.io - Stack Overflow

If you are using jsonwebtoken lib, I tried and able to create the token and verify as well. Please have a look at...

HTTP API V2 - Docker Documentation

During manifest upload, if the manifest fails signature verification, this error will be returned. NAME_INVALID, invalid repository name, Invalid repository ...