Client token creation OAuth2.1 [SOLVED]

Getting advice
,
1

Hi, I have a issue generating a token for my confidential client. I have “enabled” OAuth2.1 rules for client configuration. Steps that I have performed to do that:

  • Created client policy
  • Assign client profile called “oauth-2-1-for-confidential-client”
  • Add conditions to affect all clients (any-client)
    image
    image1258×1284 38.4 KB

By doing this, when we create a client in Keycloak and select confidential:

image
image1378×700 45 KB

Our client credentials are set to “Signed Jwt” and it is not possible to use clientId/clientSecret cause of OAuth2.1 rule, client will not be updated even if we try.

image
image2088×896 56.3 KB

Now I go to the Keys tab in client settings, and I have generated new keys, p12 file is downloaded on my computer.
I wrote some simple Java code that should create JWT token signed with private key, and verify on jwt.io that token is valid by providing a public key:

image
image1319×801 122 KB

and this is all done by file that is downloaded when i have created a new keys in Keys settings.

Also Key is visible via API or UI and I have copied it from Keycloak UI and it works on jwt.io:

image
image2984×226 24.2 KB

So, by this public key, I can verify token on jwt.io, but from Keycloak endpoint when I request token, no.

As far As I understand I have to call Keycloak token endpoint with this signed JWT in order to get client JWT:

CURL command to obtain access token:
curl -X POST \
  -d "grant_type=client_credentials" \
  -d "client_id=mcp-ai" \
  -d "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer" \
  -d "client_assertion=eyJraWQiOiI4YWdYT1BuTFhIbGhPSE9BTERLaS01ZnN......." \
  https://<host>/realms/<realm>/protocol/openid-connect/token

But somehow I am getting:

{
    "error": "invalid_client",
    "error_description": "Client authentication with signed JWT failed: Signature on JWT token failed validation"
}

{“timestamp”:“2025-05-13T10:48:25.556401385Z”,“sequence”:10557,“loggerClassName”:“org.keycloak.services.ServicesLogger_$logger”,“loggerName”:“org.keycloak.services”,“level”:“ERROR”,“logDesc”:“KC-SERVICES0025: Error when validating client assertion”,“threadName”:“executor-thread-111”,“threadId”:2675672,“mdc”:{},“ndc”:“”,“hostName”:“keycloak-b4dc57977-94bv9”,“processName”:“/usr/lib/jvm/java-21-openjdk-21.0.6.0.7-1.el9.x86_64/bin/java”,“processId”:1,“exception”:{“refId”:1,“exceptionType”:“java.lang.RuntimeException”,“message”:“Signature on JWT token failed validation”,“frames”:[{“class”:“org.keycloak.authentication.authenticators.client.JWTClientAuthenticator”,“method”:“authenticateClient”,“line”:113},{“class”:“org.keycloak.authentication.ClientAuthenticationFlow”,“method”:“processFlow”,“line”:72},{“class”:“org.keycloak.authentication.AuthenticationProcessor”,“method”:“authenticateClient”,“line”:926},{“class”:“org.keycloak.protocol.oidc.utils.AuthorizeClientUtil”,“method”:“authorizeClient”,“line”:49},{“class”:“org.keycloak.protocol.oidc.endpoints.TokenEndpoint”,“method”:“checkClient”,“line”:180},{“class”:“org.keycloak.protocol.oidc.endpoints.TokenEndpoint”,“method”:“processGrantRequest”,“line”:134},{“class”:“org.keycloak.protocol.oidc.endpoints.TokenEndpoint$quarkusrestinvoker$processGrantRequest_6408e15340992839b66447750c221d9aaa837bd7”,“method”:“invoke”},{“class”:“org.jboss.resteasy.reactive.server.handlers.InvocationHandler”,“method”:“handle”,“line”:29},{“class”:“io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext”,“method”:“invokeHandler”,“line”:141},{“class”:“org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext”,“method”:“run”,“line”:147},{“class”:“io.quarkus.vertx.core.runtime.VertxCoreRecorder$14”,“method”:“runWith”,“line”:635},{“class”:“org.jboss.threads.EnhancedQueueExecutor$Task”,“method”:“doRunWith”,“line”:2516},{“class”:“org.jboss.threads.EnhancedQueueExecutor$Task”,“method”:“run”,“line”:2495},{“class”:“org.jboss.threads.EnhancedQueueExecutor$ThreadBody”,“method”:“run”,“line”:1521},{“class”:“org.jboss.threads.DelegatingRunnable”,“method”:“run”,“line”:11},{“class”:“org.jboss.threads.ThreadLocalResettingRunnable”,“method”:“run”,“line”:11},{“class”:“io.netty.util.concurrent.FastThreadLocalRunnable”,“method”:“run”,“line”:30},{“class”:“java.lang.Thread”,“method”:“run”,“line”:1583}]},“srcAppId”:“keycloak”}

So I am not able to generate client token. Do I miss something or did somethig wrong?

Keycloak version 26.1.0

[SOLUTION]
turns out that all is correct and it should work, but I had a extra new line when I copied JWT from my token creation and that is why didnt work…

image
image910×602 38.1 KB

Tnx :slight_smile: