CAS OpenID Connect / OAUTH2 JWT Tokens Signing issue
599 views
Skip to first unread message
Simon Rieu
Jul 22, 2021, 7:50:35 AM7/22/21
to CAS Community
Hi everyone
I'm currently using CAS version 6.3.2, I added the support for the Open ID connect protocol which is based on the OAUTH2 protocol.
With the following configuration I'm able to generate a JWT access token and a refresh token. My goal is to sign these tokens, encryption is not needed.
So far so good, now from the ressource server I would like to check the signature of these tokens.
When the Open ID connect protocol is active there is a endpoint on /oidc/jwks which allow everybody to retrieve publics KEY (by default there is one and it's a RSA key)
to do exactly that. My problem is that when I parse the JWT token generated by the cas the algorithm used (extracted form the header section of the JWT token) is not RSA :
The parsed JWT indicates it was signed with the HS512 signature algorithm,
but the specified signing key of type com.android.org.conscrypt.OpenSSLRSAPublicKey may not be used to validate HS512 signatures.
Because the specified signing key reflects a specific and expected algorithm, and the JWT does not reflect this algorithm, it is likely that the JWT was not expected and therefore should not be trusted. Another possibility is that the parser was configured with the incorrect signing key,
but this cannot be assumed for security reasons.
I tried to add the following configuration in my properties file to change that
cas.authn.oauth.access-token.crypto.alg=RSA (tried with RS512 too)
and here is the whole section regarding crypto
cas.authn.oauth.access-token.crypto.signing.key=...
cas.authn.oauth.access-token.create-as-jwt=true
cas.authn.oauth.access-token.crypto.encryption-enabled=false
cas.authn.oauth.access-token.crypto.signing-enabled=true
cas.authn.oauth.access-token.crypto.alg=RSA
There is a section (https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties-Common.html#signing--encryption) regarding RSA keys in the common properties to generate a private / public key, but I don't know how to configure the cas
to use the public one (private on can be configured via the cas.authn.oauth.access-token.crypto.signing.key) for oidc.
Here is my service.json
{
"@class" : "org.apereo.cas.services.OidcRegisteredService",
"serviceId" : "...",
"clientId" : "...",
"name" : "...",
"id" : 10000006,
"evaluationOrder" : 1,
"scopes" : [ "java.util.HashSet", ["email"]],
"bypassApprovalPrompt": true,
"generateRefreshToken": true,
"jwtAccessToken": true,
"properties" : {
"@class" : "java.util.HashMap",
"accessTokenAsJwtSigningKey" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "..." ] ]
},
"accessTokenAsJwtSigningEnabled" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "true" ] ]
},
"accessTokenAsJwtEncryptionEnabled" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "false" ] ]
}
}
}
Another strange behaviour is that to make jwt token generation works it seems that some global properties are not sufficient
cas.authn.oauth.access-token.crypto.signing.key=...
cas.authn.oauth.access-token.create-as-jwt=true
cas.authn.oauth.access-token.crypto.encryption-enabled=false
cas.authn.oauth.access-token.crypto.signing-enabled=true
and we need the properties in the service to make it work
without the accessTokenAsJwtSigningKey I have an error (why since there is already a key configured in properties ?!)
org.jose4j.lang.InvalidAlgorithmException: Signature algorithm header (alg) not set.
at org.jose4j.jws.JsonWebSignature.getAlgorithm(JsonWebSignature.java:245) ~[jose4j-0.7.2.jar!/:?]
at org.jose4j.jws.JsonWebSignature.getAlgorithm(JsonWebSignature.java:231) ~[jose4j-0.7.2.jar!/:?]
at org.jose4j.jws.JsonWebSignature.sign(JsonWebSignature.java:181) ~[jose4j-0.7.2.jar!/:?]
at org.jose4j.jws.JsonWebSignature.getCompactSerialization(JsonWebSignature.java:140) ~[jose4j-0.7.2.jar!/:?]
at org.apereo.cas.util.EncodingUtils.signJws(EncodingUtils.java:471) ~[cas-server-core-util-api-6.3.2.jar!/:6.3.2]
at org.apereo.cas.util.cipher.AbstractCipherExecutor.signWith(AbstractCipherExecutor.java:113) ~[cas-server-core-util-api-6.3.2.jar!/:6.3.2]
at org.apereo.cas.oidc.token.OidcRegisteredServiceJwtAccessTokenCipherExecutor$1.sign(OidcRegisteredServiceJwtAccessTokenCipherExecutor.java:140) ~[cas-server-support-oidc-core-api-6.3.2.jar!/:6.3.2]
"properties" : {
"@class" : "java.util.HashMap",
"accessTokenAsJwtSigningKey" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "..." ] ]
},
"accessTokenAsJwtSigningEnabled" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "true" ] ]
},
"accessTokenAsJwtEncryptionEnabled" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "false" ] ]
}
}
Maybe I need to use the jwk property : Optional. Resource path to the keystore location that holds the keys for this application described in https://apereo.github.io/cas/6.3.x/installation/OIDC-Authentication.html
But I dont know why I would need it...
I tried many things, reading the source code but I'm hard stuck for 2 days on the matter, if somebody could help me that would be great
Thanks
Simon
Kartik Mehta
Apr 22, 2022, 7:51:13 AM4/22/22
to cas-...@apereo.org
I have the same issue. Did you manage to solve it ? Do global properties work ?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a8bd95f-0b81-4b0a-8334-87b19a03102en%40apereo.org.
Reply all
Reply to author
Forward
0 new messages