CAS 5.3.8 - Encrypted JWT and pac4j/jee-pac4j

19 views
Skip to first unread message

Nicola Boldrin

unread,
Jun 19, 2019, 10:33:38 AM6/19/19
to CAS Community
Hi all,
I'm testing JWT Service Tickets with a simple javax-rs WebApp based on https://github.com/pac4j/jee-pac4j
After login redirect, my application returns an Unauthorized response due to the fact that the JWT is not recognized as a JWE token.
Debugging application, I've noticed that it is due to the method parseAlgorithm(final JSONObject json) of the  com.nimbusds.jose.Header class because "enc" property is not present into JWT header.


 if (algName.equals(Algorithm.NONE.getName())) {
 // Plain
 return Algorithm.NONE;
 } else if (json.containsKey("enc")) {
 // JWE
 return JWEAlgorithm.parse(algName);
 } else {
 // JWS
 return JWSAlgorithm.parse(algName);
 }



Any suggestions ? 

Why CAS doesn't put "enc" property into the JWT?


My CAS configuration for the JWT Service Tickets is 

cas.authn.token.crypto.enabled=true
cas.authn.token.crypto.encryptionEnabled=true
cas.authn.token.crypto.signingEnabled=true
cas.authn.token.crypto.signing.key=<the 512 byte key>
cas.authn.token.crypto.encryption.key=<the 256 bytes key>



Thanks all.
Reply all
Reply to author
Forward
0 new messages