CAS JWT Service ticket validation getting failed

[srmudigan]

Hi,

I am using CAS overlay 5.2.x and I am trying to use JWT token for single sign on. I configured the cas.properties with signing key and encryption key. Also add the service json with keys. I see that JWT is getting generated but seems like the validation is failing. I am new to the CAS, so can any body please let me know how do we validate the JWT on CAS server. I see the following audit trail:

WHO: audit:unknown

WHAT: [event=success,timestamp=Wed Jan 30 13:25:36 EST 2019,source=RankedAuthenticationProviderWebflowEventResolver]

ACTION: AUTHENTICATION_EVENT_TRIGGERED

APPLICATION: CAS

WHEN: Wed Jan 30 13:25:36 EST 2019

CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1

SERVER IP ADDRESS: 0:0:0:0:0:0:0:1

WHO: testuser

WHAT: Supplied credentials: [testuser]

ACTION: AUTHENTICATION_SUCCESS

APPLICATION: CAS

WHEN: Wed Jan 30 13:27:03 EST 2019

CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1

SERVER IP ADDRESS: 0:0:0:0:0:0:0:1

WHO: testuser

WHAT: TGT-1-*********************************************************o9ZO9-5-lg-hostname

ACTION: TICKET_GRANTING_TICKET_DESTROYED

APPLICATION: CAS

WHEN: Wed Jan 30 13:27:04 EST 2019

CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1

SERVER IP ADDRESS: 0:0:0:0:0:0:0:1

WHO: testuser

WHAT: TGT-1-*********************************************************9AvnnUJ-eU-hostname

ACTION: TICKET_GRANTING_TICKET_CREATED

APPLICATION: CAS

WHEN: Wed Jan 30 13:27:04 EST 2019

CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1

SERVER IP ADDRESS: 0:0:0:0:0:0:0:1

WHO: testuser

WHAT: ST-1-5rXI2d9rn7Rf-BWXld2b6hct6xA-hostname for http://localhost:8080/appname

ACTION: SERVICE_TICKET_CREATED

APPLICATION: CAS

WHEN: Wed Jan 30 13:27:04 EST 2019

CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1

SERVER IP ADDRESS: 0:0:0:0:0:0:0:1

WHO: testuser

WHAT: ST-1-5rXI2d9rn7Rf-BWXld2b6hct6xA-hostname

ACTION: SERVICE_TICKET_VALIDATED

APPLICATION: CAS

WHEN: Wed Jan 30 13:27:05 EST 2019

CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

Then I see this failed message (service ticket doesn't exist):

2019-01-30 13:27:05,396 DEBUG [org.apereo.cas.AbstractCentralAuthenticationService] - <Attempting to decode service ticket [eyJhbGciOiJIUzUxMiJ9.eyJjcmVkZW50aWFsVHlwZSI6IlVzZXJuYW1lUGFzc3dvcmRDcmVkZW50aWFsIiwiYXVkIjoiaHR0cDpcL1wvbG9jYWxob3N0OjkwNTBcL2NhcnQtd2ViXC9jYXJ0SG9tZS5kbyIsInN1YiI6InNtdWRpZ2FuIiwiaXNGcm9tTmV3TG9naW4iOiJ0cnVlIiwiYXV0aGVudGljYXRpb25EYXRlIjoiMjAxOS0wMS0zMFQxMzoyNzowNC4xMzgtMDU6MDBbQW1lcmljYVwvTmV3X1lvcmtdIiwiYXV0aGVudGljYXRpb25NZXRob2QiOiJBY2NlcHRVc2Vyc0F1dGhlbnRpY2F0aW9uSGFuZGxlciIsInN1Y2Nlc3NmdWxBdXRoZW50aWNhdGlvbkhhbmRsZXJzIjoiQWNjZXB0VXNlcnNBdXRoZW50aWNhdGlvbkhhbmRsZXIiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2NhcyIsImxvbmdUZXJtQXV0aGVudGljYXRpb25SZXF1ZXN0VG9rZW5Vc2VkIjoiZmFsc2UiLCJleHAiOjE1NDg5MDE2MjUsImlhdCI6MTU0ODg3MjgyNSwianRpIjoiU1QtMS01clhJMmQ5cm43UmYtQldYbGQyYjZoY3Q2eEEtTllDLTdMLTU1Nzg4MDAzIn0=.d2h6CYWdYbDUvEdjnDpYpNKB7QIgfHU_ztYOeBN0dOp-H_p_Nwgnw1_kBoqXQytuPae4eyNeH05RiwUyQbOh-g] to verify authenticity>

2019-01-30 13:27:05,396 WARN [org.apereo.cas.DefaultCentralAuthenticationService] - <Service ticket [eyJhbGciOiJIUzUxMiJ9.eyJjcmVkZW50aWFsVHlwZSI6IlVzZXJuYW1lUGFzc3dvcmRDcmVkZW50aWFsIiwiYXVkIjoiaHR0cDpcL1wvbG9jYWxob3N0OjkwNTBcL2NhcnQtd2ViXC9jYXJ0SG9tZS5kbyIsInN1YiI6InNtdWRpZ2FuIiwiaXNGcm9tTmV3TG9naW4iOiJ0cnVlIiwiYXV0aGVudGljYXRpb25EYXRlIjoiMjAxOS0wMS0zMFQxMzoyNzowNC4xMzgtMDU6MDBbQW1lcmljYVwvTmV3X1lvcmtdIiwiYXV0aGVudGljYXRpb25NZXRob2QiOiJBY2NlcHRVc2Vyc0F1dGhlbnRpY2F0aW9uSGFuZGxlciIsInN1Y2Nlc3NmdWxBdXRoZW50aWNhdGlvbkhhbmRsZXJzIjoiQWNjZXB0VXNlcnNBdXRoZW50aWNhdGlvbkhhbmRsZXIiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2NhcyIsImxvbmdUZXJtQXV0aGVudGljYXRpb25SZXF1ZXN0VG9rZW5Vc2VkIjoiZmFsc2UiLCJleHAiOjE1NDg5MDE2MjUsImlhdCI6MTU0ODg3MjgyNSwianRpIjoiU1QtMS01clhJMmQ5cm43UmYtQldYbGQyYjZoY3Q2eEEtTllDLTdMLTU1Nzg4MDAzIn0=.d2h6CYWdYbDUvEdjnDpYpNKB7QIgfHU_ztYOeBN0dOp-H_p_Nwgnw1_kBoqXQytuPae4eyNeH05RiwUyQbOh-g] does not exist.>

WHO: audit:unknown

WHAT: eyJhbGciOiJIUzUxMiJ9.eyJjcmVkZW50aWFsVHlwZSI6IlVzZXJuYW1lUGFzc3dvcmRDcmVkZW50aWFsIiwiYXVkIjoiaHR0cDpcL1wvbG9jYWxob3N0OjkwNTBcL2NhcnQtd2ViXC9jYXJ0SG9tZS5kbyIsInN1YiI6InNtdWRpZ2FuIiwiaXNGcm9tTmV3TG9naW4iOiJ0cnVlIiwiYXV0aGVudGljYXRpb25EYXRlIjoiMjAxOS0wMS0zMFQxMzoyNzowNC4xMzgtMDU6MDBbQW1lcmljYVwvTmV3X1lvcmtdIiwiYXV0aGVudGljYXRpb25NZXRob2QiOiJBY2NlcHRVc2Vyc0F1dGhlbnRpY2F0aW9uSGFuZGxlciIsInN1Y2Nlc3NmdWxBdXRoZW50aWNhdGlvbkhhbmRsZXJzIjoiQWNjZXB0VXNlcnNBdXRoZW50aWNhdGlvbkhhbmRsZXIiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2NhcyIsImxvbmdUZXJtQXV0aGVudGljYXRpb25SZXF1ZXN0VG9rZW5Vc2VkIjoiZmFsc2UiLCJleHAiOjE1NDg5MDE2MjUsImlhdCI6MTU0ODg3MjgyNSwianRpIjoiU1QtMS01clhJMmQ5cm43UmYtQldYbGQyYjZoY3Q2eEEtTllDLTdMLTU1Nzg4MDAzIn0=.d2h6CYWdYbDUvEdjnDpYpNKB7QIgfHU_ztYOeBN0dOp-H_p_Nwgnw1_kBoqXQytuPae4eyNeH05RiwUyQbOh-g

ACTION: SERVICE_TICKET_VALIDATE_FAILED

APPLICATION: CAS

WHEN: Wed Jan 30 13:27:05 EST 2019

CLIENT IP ADDRESS: 127.0.0.1

SERVER IP ADDRESS: 127.0.0.1

I felt like CAS server is trying validate the generated JWT but it's not able find it.

[Michele Melluso]

Hi,

that happened to me while i was attempting by mistake to validate the Jwt as if it was a ST.

Actually Jwt is not intended to be validated against CAS, because its authenticity is granted by its signature (https://apereo.github.io/cas/6.0.x/installation/Configure-ServiceTicket-JWT.html).

Could you try to authenticate over cas with your client app turned off and see if the Jwt is returned?

cheers

Michele

[srmudigan]

Hi Michele,

Thanks for your reply.I tried to authenticate CAS without client app and I see it generated the jwt. I used the URL https://localhost:8443/cas/login?service=https://www.example.org to authenticate against cas. It generated the JWT ticket in the URL: https://www.example.org/?ticket=eyJhbGciOiJIUzUxMiJ9.eyJjcmVkZW50aWFsVHlwZSI6IlVzZXJuYW1lUGFzc3dvcmRDcmVkZW50aWFsIiwiYXVkIjoiaHR0cHM6XC9cL3d3dy5leGFtcGxlLm9yZyIsInN1YiI6InNtdWRpZ2FuIiwiaXNGcm9tTmV3TG9naW4iOiJ0cnVlIiwiYXV0aGVudGljYXRpb25EYXRlIjoiMjAxOS0wMS0zMVQxMDoyMToyOS4wMjktMDU6MDBbQW1lcmljYVwvTmV3X1lvcmtdIiwiYXV0aGVudGljYXRpb25NZXRob2QiOiJBY2NlcHRVc2Vyc0F1dGhlbnRpY2F0aW9uSGFuZGxlciIsInN1Y2Nlc3NmdWxBdXRoZW50aWNhdGlvbkhhbmRsZXJzIjoiQWNjZXB0VXNlcnNBdXRoZW50aWNhdGlvbkhhbmRsZXIiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2NhcyIsImxvbmdUZXJtQXV0aGVudGljYXRpb25SZXF1ZXN0VG9rZW5Vc2VkIjoiZmFsc2UiLCJleHAiOjE1NDg5NzY4ODksImlhdCI6MTU0ODk0ODA4OSwianRpIjoiU1QtMS10VnNmZ0FPcjRIQkFNT3lTb0RlNThhV1pTR2ctTllDLTdMLTU1Nzg4MDAzIn0%3D.34JcJbiCipnTWNdKufWFeF1VwY77eYAPyqDh06MmqkQiOXYkzY9Iauo9BAy-aa2clwZLZYeSI2fMZgDjjm-_wA

How do I turn off client app ? As I understand from your reply that "validate the jwt as it was ST", it seems like it's happening same for me. Can you please let me know how did you solved the issue ? When we use jwt, whats the correct the way to use jwt ? I am using the service name in service registry for which the jwt is getting generated, then jwt is getting passed to the application URL in service registry with redirect=true and ticket=generate-jwt but again it's getting validated against cas and it's throwing service ticket does not exist. So my question is where should we validate JWT ? on CAS server or client ? but it seems the validation is automatically happening on cas server. Once jwt is generated, why keep on getting ticket does not exist. 

Thanks in advance.

Regards,

srmudiganti

[Michele Melluso]

Hi srmudiganti,

try to see if this helps:

https://groups.google.com/a/apereo.org/d/msg/cas-user/2kby6bDGnoQ/J-AmktLCFgAJ

regards

Michele

[srmudigan]

Hi Michele,

I have gone through the link. But before I implement reading the token on client side, i need to disable the validation happening on cas side. Could you help me how to disable the validation that's happening on cas as it's doing JWTvalidation like ST ticket ? It looks like after JWT is generated, it's getting validated on cas. The generated URL has redirected=true&ticket=JWT-ticket. May be that's causing the automatic validation ? It looks like the jwt ticket is not even reaching client. So can you please suggest how to stop the validation ?

Thank you for your help.

Regards,
srmudiganti

[Michele Melluso]

Hi,

cas is not supposed at all to internally validate the JWT, since it should be generated by cas only after the ST is internally validated, (as its shown on the documentation flow diagram).

When it happened to me, it was because i was using a cas client which was applying the cas protocol providing back the ticket argument to the validation endpoint of cas.

Could you check that you are not using any cas client and provide your app code that you are using to validate the jwt?

regards

Michele

[srmudigan]

Hi Michele,

Yes you are right, cas is not internally validating the JWT. The cas client which in my case is spring boot based web app which is using cas-client-autoconfig-support and with @EnableCasClient annotation. I am using the validation-type: CAS3 in the client. And when I authenticate against cas server, the cas is generating the JWT but the client is trying to validate the JWT like ST by sending it back to cas.  Looks like the client is using Cas20ServiceTicketValidator to validate the JWT ticket which I think it should not. What changes did you do in client to not send it back to cas for validating ? 

Thanks,

srmudiganti 

[dim...@gmail.com]

In just released 2.2.0-GA version of cas-client-autoconfig-support library, there is a new configuration option to turn off ticket validation interaction by the Java CAS client (useful for this exact use case of JWTs as tickets). It looks like this: cas.skipTicketValidation=true

Once that's set, after authentication transaction, client apps will receive JWTs in the 'ticket' request parameter(if CAS server is set up to do that, of course) and CAS client will not attempt to validate it. Then you could do whatever you please with it.

Best,

D.

[srmudigan]

Thanks you. I will try with the new version.

Regards,

srmudigan