What is sign key for JWT in CAS OAuth2?

[dg]

I have configured CAS with OAuth2 and JWT as access token like this; https://apereo.github.io/2019/02/19/cas61-as-oauth-authz-server/

it works well and it returns jwt, and also i decode it in jwt.io website and i can see payload. but i cant validate JWT in resource server. i have same signing key in resource server.

my cas configs

cas.authn.oauth.access-token.crypto.enabled=true
cas.authn.oauth.access-token.crypto.signing-enabled=true
cas.authn.oauth.access-token.crypto.encryption-enabled=false
cas.authn.oauth.access-token.crypto.signing.key=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgYXF7qeNDWxzVVCkFaFwxGixkryifkDbu82n00fvT/ab2lx3KD3IxP9wqo3d3hUOZT7HeTlmvzJu2lZx0zLVnumz0m+Ksa5cuFyIEQ2nqkbi2bfD+moxEoCS6hXCvttihS8gyaJrHlHzvNugAGArSviNOJAdTrPJrIzcoqMxuC9UKoF8XJ6HirQOsR1+xSzqFeWxjCDe5IUJG0RA31rC7BbAJ148Ni8XUJm3UPB5+nfqGyOMYNBqiQ8OPD6D2kJKgQIy6pvSI/11bbFBL2ffWY257rh5gZJ+zQZ4cCCjDWsrWsA9okgPhPE2N/nKj1lcuqaWSj700uX0Ihxsp2l01QIDAQAB

where am i wrong? don't apereo cas use cas.authn.oauth.access-token.crypto.signing.key? or maybe apereo cas does some additional encrpytion over sign key.

could you provide some information? thanks for helps.

[Nguyen Tran Thanh Lam]

Hi

When you enable Oauth2, the signing key show in your logs when you build CAS.

Don't worry about CAS build fail. 

You can get signing key and build again, it will success.

Note: Oauth2 just support in CAS version 6.1.x

BRs

Vào 22:00, T.5, 28 Th5, 2020 dg <ytete...@gmail.com> đã viết:

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/302a2dcf-9df9-4f22-bc6c-8a5d4d01d60a%40apereo.org.

[dg]

hi, thanks for response. i am little confused. does cas generate an sign key automatically even if I have set the sign key? 

here is my logs

2020-05-28 19:05:54,024 INFO [org.apereo.cas.util.CoreTicketUtils] - <Ticket registry encryption/signing is turned off. This MAY NOT be safe in a clustered production environment. Consider using other choices to handle encryption, signing and verification of ticket registry tickets, and verify the chosen ticket registry does support this behavior.>

2020-05-28 19:05:54,082 INFO [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Encryption is not enabled for [Token/JWT Tickets]. The cipher [OAuth20RegisteredServiceJwtAccessTokenCipherExecutor] will only attempt to produce signed objects>

2020-05-28 19:05:54,082 INFO [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Signing is not enabled for [Token/JWT Tickets]. The cipher [OAuth20RegisteredServiceJwtAccessTokenCipherExecutor] will attempt to produce plain objects>

2020-05-28 19:05:54,205 INFO [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Encryption is not enabled for [OAuth JWT Access Tokens]. The cipher [OAuth20JwtAccessTokenCipherExecutor] will only attempt to produce signed objects>

2020-05-28 19:05:54,221 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for encryption is not defined for [OAuth Registered Service]; CAS will attempt to auto-generate the encryption key>

2020-05-28 19:05:54,227 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated encryption key [ouEwfe6zIZrXaCwlEH9XbWoiyl_0qQpFL8_V_onea3ZDULNWzDoGiP98UJ1dl7_6_oZrX_gNfrenfkiV0phhTg] of size [512] for [OAuth Registered Service]. The generated key MUST be added to CAS settings under setting [cas.authn.oauth.crypto.encryption.key].>

2020-05-28 19:05:54,228 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for signing is not defined for [OAuth Registered Service]. CAS will attempt to auto-generate the signing key>

2020-05-28 19:05:54,228 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated signing key [B25RcIHvRQ2xo2Gr3ya5DxghyuZ444G4w6caZXek104E-iEGC2Yt0_k5LSzR0_9o50Jp-SElSoOYv1jh2Wn1ZQ] of size [512] for [OAuth Registered Service]. The generated key MUST be added to CAS settings under setting [cas.authn.oauth.crypto.signing.key].>

2020-05-28 19:05:54,479 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for encryption is not defined for [Ticket-granting Cookie]; CAS will attempt to auto-generate the encryption key>

2020-05-28 19:05:54,479 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated encryption key [vE6fYU7pSHl9EmvAQ17N2DGQRH8tmIjlISnbf8AyGdg] of size [256] for [Ticket-granting Cookie]. The generated key MUST be added to CAS settings under setting [cas.tgc.crypto.encryption.key].>

2020-05-28 19:05:54,480 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for signing is not defined for [Ticket-granting Cookie]. CAS will attempt to auto-generate the signing key>

2020-05-28 19:05:54,480 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated signing key [j8QmyBFDtPFDPSueg_GYnrldfmoXm1wvIXu87RjeJFF7Hw_Jc5AgBAix6rAxlHBozqj-WQvJcFCjYFqJerud3g] of size [512] for [Ticket-granting Cookie]. The generated key MUST be added to CAS settings under setting [cas.tgc.crypto.signing.key].>

2020-05-28 19:05:54,657 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Secret key for signing is not defined under [cas.webflow.crypto.signing.key]. CAS will attempt to auto-generate the signing key>

2020-05-28 19:05:54,657 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Generated signing key [YBvEOAbPAV4p6zm_ehZAXyqikjjHa6JTq8WKmMiW-aaYBjvj6MJlMHCI6022tXxGBtZIrbEfTbhMwSLs7H6QBw] of size [512]. The generated key MUST be added to CAS settings under setting [cas.webflow.crypto.signing.key].>

2020-05-28 19:05:54,658 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Secret key for encryption is not defined under [cas.webflow.crypto.encryption.key]. CAS will attempt to auto-generate the encryption key>

2020-05-28 19:05:54,660 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Generated encryption key [JWDyl33aY_xIGk60XwFF9g] of size [16]. The generated key MUST be added to CAS settings under setting [cas.webflow.crypto.encryption.key].>

2020-05-28 19:05:57,693 INFO [org.apereo.cas.web.CasWebApplication] - <Started CasWebApplication in 34.797 seconds (JVM running for 37.584)>

2020-05-28 19:05:57,701 INFO [org.apereo.cas.web.CasWebApplication] - <>

2020-05-28 19:05:57,701 INFO [org.apereo.cas.web.CasWebApplication] - <

  ____  _____    _    ______   __

 |  _ \| ____|  / \  |  _ \ \ / /

 | |_) |  _|   / _ \ | | | \ V /

 |  _ <| |___ / ___ \| |_| || |

 |_| \_\_____/_/   \_\____/ |_|

>

i used this key in my resource server, but nothing changed, still validation error. 

[Ray Bon]

The field identifier, cas.authn.oauth.crypto.signing.key, is different than the one you have in your properties, cas.authn.oauth.access-token.crypto.signing.key.

Perhaps both are needed.

Ray

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[dg]

hey, thanks for response. i have tried both cas.authn.token.crypto and cas.authn.oauth.accessToken.crypto prefixes, but still validation error. anybody knows where is the sign key or how can i set sign key?

by the way, i dont need to encyprtion jwt, just signing it enough.