JWT signature verification regression in CAS 6.1.0 RC5 for Acceptto MFA integration

54 views

Skip to first unread message

Aarash Yaadegarnia

unread,

Oct 14, 2019, 11:06:31 AM10/14/19

to CAS Community

Hi everyone,

I'm experimenting with OIDC and SAML server providers using Acceptto MFA integration. Up until RC4 everything seems to be working perfectly fine but after upgrading the RC5 (and RC6), it fails to verify the JWT signature that it receives from the Acceptto server.

This is what I'm getting with RC5 and RC6:

cas                  | 2019-10-07 17:50:44,554 TRACE [org.apereo.cas.mfa.accepto.AccepttoApiUtils] - <Validating response signature for [REDACTED] using [Sun RSA public key, 2048 bits
cas                  |   params: null
cas                  |   modulus: [REDACTED]
cas                  |   public exponent: [REDACTED]]>
cas                  | 2019-10-07 17:50:44,561 ERROR [org.apereo.cas.mfa.accepto.AccepttoApiUtils] - <The given key (algorithm=RSA) is not valid for SHA256withRSA>
cas                  | org.jose4j.lang.InvalidKeyException: The given key (algorithm=RSA) is not valid for SHA256withRSA
cas                  | 	at org.jose4j.jws.BaseSignatureAlgorithm.initForVerify(BaseSignatureAlgorithm.java:115) ~[jose4j-0.6.5.jar!/:?]
cas                  | 	at org.jose4j.jws.BaseSignatureAlgorithm.verifySignature(BaseSignatureAlgorithm.java:56) ~[jose4j-0.6.5.jar!/:?]
cas                  | 	at org.jose4j.jws.JsonWebSignature.verifySignature(JsonWebSignature.java:192) ~[jose4j-0.6.5.jar!/:?]
cas                  | 	at org.apereo.cas.util.EncodingUtils.verifyJwsSignature(EncodingUtils.java:280) ~[cas-server-core-util-api-6.1.0-RC5-SNAPSHOT.jar!/:6.1.0-RC5-SNAPSHOT]
cas                  | 	at org.apereo.cas.mfa.accepto.AccepttoApiUtils.authenticate(AccepttoApiUtils.java:184) ~[cas-server-support-acceptto-mfa-6.1.0-RC5-SNAPSHOT.jar!/:6.1.0-RC5-SNAPSHOT]
cas                  | 	at org.apereo.cas.mfa.accepto.web.flow.AccepttoMultifactorDetermineUserAccountStatusAction.doExecute(AccepttoMultifactorDetermineUserAccountStatusAction.java:45) ~[cas-server-support-acceptto-mfa-6.1.0-RC5-SNAPSHOT.jar!/:6.1.0-RC5-SNAPSHOT]

Same configuration (with same public key and upstream server setup) works perfectly fine with RC4. Could anyone please point me in the right direction?

Please let me know if more information is needed to better diagnose the issue.

Thanks,

Reply all

Reply to author

Forward

0 new messages