Unable to get token using client credentials through the signed JWT method

108 views

Skip to first unread message

Hassan Saeed

unread,

May 26, 2025, 3:22:51 PM5/26/25

to Keycloak User

Hi all,

I’m running into an `invalid_client` / “Unable to load public key” error during a
client-credentials flow that uses a *private-key JWT* (OpenID Connect) in Keycloak
17. Details:

• Auth method: client_assertion
• Steps so far
1. Generated a JKS in Keycloak, then exported the cert & key to PEM.
2. Signed the JWT with the private key:
     – Header: { "alg": "RS256", "typ": "JWT", "kid": "<SHA256 generated by MKJWK for some other key>" }
     – iss & sub = ECRNow
     – aud = <keycloakbaseurl>/realms/<realmname>/protocol/openid-connect/token
3. POST to .../token with `grant_type=client_credentials`,
     `client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer`,
     and the JWT in `client_assertion`.

Keycloak logs show it can’t find/load the public key for that `kid`.

What I’ve checked and presets
-----------------
✓ Client is set to “Signed JWT” (not client secret).

✓ I generated the JKS within Keycloak using generate keyset option and then converted the JKS into a private key pem and public key pem using openssl and keytool and then generated JWT assertion using them via https://dinochiesa.github.io/

Still no luck—Keycloak won’t load the key. Any ideas on what I might be missing
(keystore format, JWKS vs PEM upload, cache, etc.)?

Is there a solution to this ?

Thanks in advance!

— Hassan Saeed

Reply all

Reply to author

Forward

0 new messages