search

p2-inc / keycloak-events

Useful Keycloak event listener implementations and utilities.
https://phasetwo.io
Other
168 stars 35 forks source link

Invalid Keycloak Signature #37

Closed MarcinBondaruk closed 10 months ago

MarcinBondaruk commented 12 months ago

Hey, We have set up 3 keycloak instances on k8s. We are using keycloak events for webhooks on multiple user actions. Our backend processes these webhooks but from time to time we cannot validate signature resulting in invalid keycloak signature. Can you please try to turn me in right direction in debugging this issue? We are using keycloak 20 and events plugin v 0.12 database is shared across instances.

Best regards!

xgp commented 12 months ago

@MarcinBondaruk thanks for the message. Is your issue that the signature is wrong? Or that it is missing?

The HMAC gets computed here https://github.com/p2-inc/keycloak-events/blob/main/src/main/java/io/phasetwo/keycloak/events/HttpSenderEventListenerProvider.java#L95 based on a String that is created by the same code that the SimpleHttp client uses https://github.com/keycloak/keycloak/blob/main/server-spi-private/src/main/java/org/keycloak/broker/provider/util/SimpleHttp.java#L319

For debugging, I would recommend taking a String of an event that you know fails and running it through your client/receiver code and the Java code. Should be possible to write a main method to run this https://github.com/p2-inc/keycloak-events/blob/main/src/main/java/io/phasetwo/keycloak/events/HttpSenderEventListenerProvider.java#L108

If you find that the exact String is producing two different HMAC values, please post the String and client code here. Otherwise, my guess is that the input in slightly different for the Java and client code.