CAS 6.5 not able to use Jose4J package to validate JWT.

286 views
Skip to first unread message

Jason Rocks

unread,
Aug 8, 2022, 10:52:35 PM8/8/22
to CAS Community
I am upgrading from 5.3 to 6.5 and having some issues with using the Jose4J package to validate the JWTs.  From what I can tell after the JWE decrypts the JWT the content type header “cty” is “JWT” indicating that the JWT is still in a nested state according to Jose4J.  

—— Code 

// Step 1: signature validation
JsonWebSignature jws = new JsonWebSignature();
jws.setCompactSerialization(jwtString);
jws.setKey(new AesKey(jwtConfig.getSigningKey().getBytes(StandardCharsets.UTF_8)));
jws.setAlgorithmConstraints(AlgorithmConstraints.DISALLOW_NONE);
if (!jws.verifySignature()) {
logger.error(String.format("jwt have invalid signature:%s", jwtString));
return new ValidationDTO(false, false);
}

// Step 2: check if encryption is fine, but possibly a expired token
final byte[] decodedBytes = Base64.decodeBase64(jws.getEncodedPayload().getBytes(StandardCharsets.UTF_8));
final String decodedPayload = new String(decodedBytes, StandardCharsets.UTF_8);
final JsonWebKey jsonWebKey = JsonWebKey.Factory
.newJwk("\n" + "{\"kty\":\"oct\",\n" + " \"k\":\"" + jwtConfig.getEncriptionKey() + "\"\n" + "}");
JwtConsumer maybeExpiredConsumer = new JwtConsumerBuilder()
.setSkipAllValidators()
.setDisableRequireSignature()
.setSkipSignatureVerification()
.setDecryptionKey(new AesKey(jsonWebKey.getKey().getEncoded()))
.setJweAlgorithmConstraints(
new AlgorithmConstraints(ConstraintType.WHITELIST,
KeyManagementAlgorithmIdentifiers.DIRECT))
.setJweContentEncryptionAlgorithmConstraints(
new AlgorithmConstraints(ConstraintType.WHITELIST,
ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256)) //this have to match CAS configuration
.build();
         
JwtContext context = maybeExpiredConsumer.process(decodedPayload); // <<<<< Exception thrown here. “Invalid JOSE Compact Serialization"

—— End Code

Invalid JWT:JWT processing failed. Additional details: [[17] Unable to process nested JOSE object (cause: org.jose4j.lang.JoseException: Invalid JOSE Compact Serialization. Expecting either 3 or 5 parts for JWS or JWE respectively but was 14.): {"clientIpAddress":"127.0.0.1","sub":"te...@test2121.com","authenticationDate":1659977730,"successfulAuthenticationHandlers":"careerAuthenticationHandler","iss":"https:\/\/jason.crengland.com\/cas","userAgent":"PostmanRuntime\/7.29.2","credentialType":"UsernamePasswordCredential","aud":"https:\/\/jason.crengland.com\/cas","authenticationMethod":"careerAuthenticationHandler","geoLocation":"unknown","serverIpAddress":"127.0.0.1","exp":1660006530,"iat":1659977730,"jti":"TGT-2-xxxxxxxxx-CREJDR-MBP2022"}]

org.jose4j.jwt.consumer.InvalidJwtException: JWT processing failed. Additional details: [[17] Unable to process nested JOSE object (cause: org.jose4j.lang.JoseException: Invalid JOSE Compact Serialization. Expecting either 3 or 5 parts for JWS or JWE respectively but was 14.): {"clientIpAddress":"127.0.0.1","sub":"te...@test2121.com","authenticationDate":1659977730,"successfulAuthenticationHandlers":"careerAuthenticationHandler","iss":"https:\/\/jason.crengland.com\/cas","userAgent":"PostmanRuntime\/7.29.2","credentialType":"UsernamePasswordCredential","aud":"https:\/\/jason.crengland.com\/cas","authenticationMethod":"careerAuthenticationHandler","geoLocation":"unknown","serverIpAddress":"127.0.0.1","exp":1660006530,"iat":1659977730,"jti":"TGT-2-xxxxxxxx-CREJDR-MBP2022"}]
        at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:406) ~[jose4j-0.7.12.jar:na]
        at com.crengland.web.security.service.JWTValidationServiceImpl.validate(JWTValidationServiceImpl.java:93) ~[classes/:na]
        at com.crengland.web.security.service.JWTValidationServiceImpl$$FastClassBySpringCGLIB$$c0ab6de1.invoke(<generated>) [classes/:na]
        at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) [spring-core-5.3.2.jar:5.3.2]

   …...

        at java.lang.Thread.run(Thread.java:750) [na:1.8.0_332]
Caused by: org.jose4j.lang.JoseException: Invalid JOSE Compact Serialization. Expecting either 3 or 5 parts for JWS or JWE respectively but was 14.
        at org.jose4j.jwx.JsonWebStructure.fromCompactSerialization(JsonWebStructure.java:90) ~[jose4j-0.7.12.jar:na]
        at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:320) ~[jose4j-0.7.12.jar:na]
        ... 70 common frames omitted

Jason Rocks

unread,
Aug 16, 2022, 3:24:47 AM8/16/22
to CAS Community, Jason Rocks
This appears to be an invalid implementation of the JWT standard in CAS. The inner JWE should not have a content type "cty" header of "JWT". 

Tariq Hassan

unread,
Aug 17, 2022, 9:42:26 AM8/17/22
to CAS Community, slap...@gmail.com
Pls take a look at this issue that i posted . You help will be appreciated .

Reply all
Reply to author
Forward
0 new messages