Failed to load public key via signed JWT

[Hassan Saeed]

Hi all,

 

I’m running into an `invalid_client` / “Unable to load public key” error during a
client-credentials flow that uses a *private-key JWT* (OpenID Connect) in Keycloak
17.  Details:

 

• Auth method: client_credentials + client_assertion (RS256)  
• Steps so far
  1. Generated a JKS in Keycloak, then exported the cert & key to PEM.
  2. Signed the JWT with the private key:
     – Header: { "alg": "RS256", "typ": "JWT", "kid": "B1RqL00LiwwkYgXPeYrnag..." }
     – iss & sub = <customclientnamestring>
     – aud = <keylcoakbase>/realms/<realmname>/protocol/openid-connect/token
  3. POST to .../token with `grant_type=client_credentials`,
     `client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer`,
     and the JWT in `client_assertion`.

 

Keycloak logs show it can’t find/load the public key for that `kid`.

 

What I’ve checked
-----------------
✓ Client is set to “Signed JWT” (not client secret).  
✓I created the JKS within keycloak using the generate keys option and then I used openssl and keytool to generate public and private keys out of it and then I generated the client assertion using them by https://dinochiesa.github.io/jwt/ 

 

Still no luck—Keycloak won’t load the key.  Any ideas on what I might be missing
(keystore format, JWKS vs PEM upload, cache, etc.)?

Any solutions to this problem 

 

Thanks in advance!

 

— Hassan