JWT without encryption key

Xavier Rodríguez

unread,

Nov 12, 2018, 10:44:10 AM11/12/18

to CAS Community

I'm configuring Cas Server 5.3.3. In one service I need to response a JWT without encryption. Is it possible?

I have changed in cas.properties:

cas.authn.token.crypto.encryptionEnabled=false

But it not has effect. In my service I don't configure the property too:

"jwtAsServiceTicketEncryptionKey"

How can I disable this property?

Regards!

- Xavier -

Devendra Sisodia

unread,

Dec 13, 2018, 6:45:31 AM12/13/18

to CAS Community

Hello Xavier, all,

I too have similar requirement of JWT without encryption and wondering if there exists any solution.

Regards,

Devendra

Devendra Sisodia

unread,

Dec 13, 2018, 6:53:56 AM12/13/18

to cas-...@apereo.org

Hi all,

Just to describe in details what is my requirement:

Need JWT signed but without encryption. Tried below config but to no avail:

cas.authn.token.crypto.encryptionEnabled=false

cas.authn.token.crypto.signingEnabled=true

Can some please suggest how this can be achieved ?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/46fd8e38-fafe-486c-ae54-b184c3227103%40apereo.org.

--

Thanks & regards,

Devendra
Mobile: +49 1748437888

Giuseppe Infurna

unread,

Dec 13, 2018, 8:09:29 AM12/13/18

to CAS Community

Hi all,

I'm work fine with

cas.authn.token.crypto.encryption-enabled=false
cas.authn.token.crypto.encryption.key=

Devendra Sisodia

unread,

Dec 13, 2018, 8:55:49 AM12/13/18

to cas-...@apereo.org

Sorry, but this does not work.

How's your service(one with definition of 'jwtAsServiceTicket', etc) looks like ?

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0cdbba7e-75b3-4a5f-9e4b-c68b9e8a233a%40apereo.org.

Giuseppe Infurna

unread,

Dec 13, 2018, 9:40:08 AM12/13/18

to CAS Community

yes


###Token/JWT Tickets ENCRIPTION
cas.authn.token.crypto.enabled=true

cas.authn.token.crypto.signing-enabled=true
cas.authn.token.crypto.signing.key=Dkkpi7iUKqidOXXmeAbr4RyHirYmgQgqqUrIo6q_JPNks2iqX2l95jVVoZQDWLNiFnhQF43agCtdMxRnIXOO9g

cas.authn.token.crypto.encryption-enabled=false
cas.authn.token.crypto.encryption.key=

and

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^(http|https)://?localhost(:8081|:9060|:9000)?/.*",
  "name" : "myApplication",
  "theme" : "myApplication",
  "id" : 10000003,
  "description" : "My Application",
  "evaluationOrder" : 1,
  "usernameAttributeProvider" : {
    "@class" : "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
  },
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  },
  "accessStrategy" : {
    "@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
    "enabled" : true,
    "ssoEnabled" : true
  },
  "proxyPolicy" : {
    "@class" : "org.jasig.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
    "pattern" : "^(http|https)?://.*"
  },
  "properties" : {
    "@class" : "java.util.HashMap",
    "jwtAsServiceTicket" : {
      "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
      "values" : [ "java.util.HashSet", [ "true" ] ]
    }
  }
}

Devendra Sisodia

unread,

Dec 14, 2018, 8:02:14 AM12/14/18

to giusepp...@gmail.com, cas-...@apereo.org

Hello,

Big Thanks for sharing configuration and as a result JWT is not encrypted and only signed.

But now I face strange issue. when I try to verify signature it fails. I am using AES and single key to sign and JWT is generated. But the generate JWT fails signature verification.

JWT generated as below:

2018-12-14 12:33:00,684 DEBUG [org.apereo.cas.token.JWTTokenTicketBuilder] - <Locating service [http://localhost:8888/api] in service registry>

2018-12-14 12:33:00,685 DEBUG [org.apereo.cas.token.JWTTokenTicketBuilder] - <Locating service specific signing and encryption keys for [http://localhost:8888/api] in service registry>

2018-12-14 12:33:00,690 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Encryption is not enabled for [Token/JWT Tickets]. The cipher [RegisteredServiceTokenTicketCipherExecutor] will only attempt to produce signed objects>

2018-12-14 12:33:00,690 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Signing is not enabled for [Token/JWT Tickets]. The cipher [RegisteredServiceTokenTicketCipherExecutor] will attempt to produce plain objects>

2018-12-14 12:33:00,690 DEBUG [org.apereo.cas.token.JWTTokenTicketBuilder] - <Encoding JWT based on default global keys for [http://localhost:8888/api]>

2018-12-14 12:33:00,734 DEBUG [org.apereo.cas.authentication.principal.DefaultResponse] - <Sanitized URL for redirect response is [http://localhost:8888/api]>

2018-12-14 12:33:00,736 DEBUG [org.apereo.cas.authentication.principal.DefaultResponse] - <Final redirect response is [http://localhost:8888/api?redirect=true&ticket=eyJhbGciOiJSUzUxMiJ9

Verfication code used is:

final Key key = new AesKey(jwtSigning.getBytes(StandardCharsets.UTF_8));

final JsonWebSignature jws = new JsonWebSignature();

jws.setCompactSerialization(secureJwt);

jws.setKey(key);

if (!jws.verifySignature()) {

throw new Exception("JWT verification failed");

}

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc5f9360-536c-4c27-89bd-d6b69c99089f%40apereo.org.

Giuseppe Infurna

unread,

Dec 14, 2018, 8:11:32 AM12/14/18

to CAS Community, giusepp...@gmail.com

i'm using io.jsonwebtoken.jjwt library

Jwts.parser().setSigningKey(<yourSecretKey>).parseClaimsJws(<yourJwt>);

Devendra Sisodia

unread,

Dec 14, 2018, 10:37:45 AM12/14/18

to cas-...@apereo.org, giusepp...@gmail.com

While decoding JWT there is error "Bad Base64 input character decimal 37 in array position 806" Which means 37(%) is not allowed in encoded base 64 string in JWT.

My JWT looks like below and yellow highlighted is the 806th element that cannot be base 64 decode.

eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJpdmVyYXNlI<string>NTg3In0%3D.UmNz8ikEOFYqPgHRmZb1SK6A1pRFu48fSfYTasMGYHKtg7V8JepAfwunXwFeHsx5JTi4yKBug1Tq9PqfdY93lA

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/202650b5-d998-4539-af60-50218543325f%40apereo.org.

William E.

unread,

Dec 15, 2018, 10:14:07 AM12/15/18

to CAS Community, giusepp...@gmail.com

I think you are seeing the discrepancy due to base64 vs. base64url decoding. I think the jwt spec. wants base64 url vs. plain base64.

https://en.wikipedia.org/wiki/Base64#URL_applications

Devendra Sisodia

unread,

Dec 17, 2018, 7:10:51 AM12/17/18

to cas-...@apereo.org, Giuseppe Infurna

I am observing that extra non base64 char are appended to payload. If i remove them then I am able to verify signature. Can someone suggest if this is CAS issue or issue in my configurations ?

JWT:eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJpdmVyYXNlIiwiaXNGcm9tTmV3TG9naW4iOiJ0cnVlIiwiYXV0aGVudGljYXRpb25EYXRlIjoiMjAxOC0xMi0xN1QxMzowNTowOS43MzkrMDE6MDBbRXVyb3BlXC9CZXJsaW5dIiwicm9sZXMiOlsidXNlciIsImFjZV9vcGVyYXRvciIsIkFSQ0hJVkVfT1BFUkFUT1IiLCJQSEFTRTNfT1BFUkFUT1IiLCJHTkxUX1VTRVIiLCJDQVRBTE9HVUVfT1BFUkFUT1IiLCJhc21fdXNlciJdLCJzdWNjZXNzZnVsQXV0aGVudGljYXRpb25IYW5kbGVycyI6IkVTTyBBdXRoIEhhbmRsZXIiLCJpc3MiOiJodHRwczpcL1wvY2FzLmV4YW1wbGUub3JnOjg0NDNcL3NzbyIsImNyZWRlbnRpYWxUeXBlIjoiVXNlcm5hbWVQYXNzd29yZENyZWRlbnRpYWwiLCJhdWQiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODg4OFwvYXBpIiwiaXNJbXBlcnNvbmF0aW5nIjoiZmFsc2UiLCJhdXRoZW50aWNhdGlvbk1ldGhvZCI6IkVTTyBBdXRoIEhhbmRsZXIiLCJsb25nVGVybUF1dGhlbnRpY2F0aW9uUmVxdWVzdFRva2VuVXNlZCI6ImZhbHNlIiwiZXhwIjoxNTQ1MDc3MTEwLCJpYXQiOjE1NDUwNDgzMTAsImp0aSI6IlNULTEtYUZwSnRnRXFXTHc3VUREVlN3VnB4SGZucDhnR0EwMjI1ODcifQ%3D%3D.WB71awCAFz2tsa1ZqoZnWacKKVAarjsylBuOvnetHf9CHsIFgYtg58-2hCbeJT-gMFlCzaolriDsks1bE_RIPw

If I remove '%3D%3D' from JWT then verification succeeds.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c28790e-89e4-41c5-ba72-3f06ef76a3b1%40apereo.org.

William E.

unread,

Dec 17, 2018, 10:04:38 AM12/17/18

to CAS Community, giusepp...@gmail.com

I think the jwt as seen in the url as the value for the token parameter has been rul'ized by converting some characters to their html entity values. If you look at the same jwt as seen in the cas logs you will find it does not have the html characters, it's pure base64. If I use that value or convert the token value to non-url safe characters, it will validate with jose.

However, although I can validate in jose in java and python, I cannot in another python jwt library. I've been in direct contact with that maintainer and they tell me the jwt built by cas may not be following spec. That the signature is being built with the base64, not base64-url encoding. Jose validates because it doesn't verify payload first. I'm not sure where the issue is for certain as I am no jwt expert. Perhaps one of the cas developers can weigh in?

From the jwcrypto library maintainer:

RFC7515 point 2:

Base64url Encoding
Base64 encoding using the URL- and filename-safe character set
defined in Section 5 of RFC 4648 [RFC4648], with all trailing '='
characters omitted (as permitted by Section 3.2) and without the
inclusion of any line breaks, whitespace, or other additional
characters. Note that the base64url encoding of the empty octet
sequence is the empty string. (See Appendix C for notes on
implementing base64url encoding without padding.)

-W

Michele Melluso

unread,

May 21, 2019, 12:10:15 PM5/21/19

to CAS Community, giusepp...@gmail.com

Hi all,

I got a similar issue when I try to verify the jwt signature with several libreries including Node.js jsonwebtoken, since the library allows only base64url encoded tokens because of mentioned RFC7515.

With java-jwt library the token is correctly verified.

Debugging the code i found in cas version 6.0 EncodingUtils.java:362 the following code:

    @SneakyThrows
361     public static byte[] signJws(final Key key, final byte[] value, final String algHeaderValue) {
362         val base64 = EncodingUtils.encodeBase64(value);
363         val jws = new JsonWebSignature();
364         jws.setEncodedPayload(base64);
365         jws.setAlgorithmHeaderValue(algHeaderValue);
366         jws.setKey(key);
367         jws.setHeader("typ", "JWT");
368         return jws.getCompactSerialization().getBytes(StandardCharsets.UTF_8);
369     }

could it be convenient to use the base64url encoder in the same class instead? I've been trying to inject the patch into my overlay environment without success because of my poor gradle skills.

best regards

Michele

dg

unread,

May 29, 2020, 9:41:33 AM5/29/20

to CAS Community

hello, is there anybody that verify jwt with spring resource server? i have configuration like this. when i use custom oauth2 server, it works well. but when i change to cas oauth2 server, it cannot verify jwt.

cas oauth2

cas.authn.token.crypto.enabled=true

cas.authn.token.crypto.signing-enabled=true
cas.authn.oauth.crypto.signing.key=RwBkYP2TGd1qobBQnW0mraR1jJ5_uBT65LlnpP8xe_sy3IiNQ_6SnNUxagwcPxHUudONBN_hEPRRUHxaAsTzgQ
cas.authn.token.crypto.encryption-enabled=false
cas.authn.token.crypto.encryption.key=

spring resource server config

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    private String signKey = "RwBkYP2TGd1qobBQnW0mraR1jJ5_uBT65LlnpP8xe_sy3IiNQ_6SnNUxagwcPxHUudONBN_hEPRRUHxaAsTzgQ";

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        converter.setSigningKey(signKey);
        return converter;
    }

    @Bean
    public TokenStore tokenStore() {
        return new JwtTokenStore(accessTokenConverter());
    }

    @Bean
    @Primary
    public DefaultTokenServices tokenServices() {
        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setTokenStore(tokenStore());
        return defaultTokenServices;
    }

}

denizg

unread,

Aug 24, 2020, 11:24:56 AM8/24/20

to CAS Community, denizg

I realized that It were because of different algorithm types. spring resource server uses hmacsha256 default when using symmetric key, but cas sends hmacsha512. so i updated accessTokenConverter() method like below;

@Bean

public JwtAccessTokenConverter accessTokenConverter() {

JwtAccessTokenConverter converter = new JwtAccessTokenConverter();

String key = "RwBkYP2TGd1qobBQnW0mraR1jJ5_uBT65LlnpP8xe_sy3IiNQ_6SnNUxagwcPxHUudONBN_hEPRRUHxaAsTzgQ";

SignatureVerifier sha512Verifier = new MacSigner("HMACSHA512", new SecretKeySpec(key.getBytes(), "HMACSHA512"));

converter.setVerifier(sha512Verifier);

return converter;

}

29 Mayıs 2020 Cuma tarihinde saat 16:41:33 UTC+3 itibarıyla denizg şunları yazdı:

Reply all

Reply to author

Forward