[CAS 5.1.6 and 5.2.0] JWT : Last call before nervous breakdown
511 views
Skip to first unread message
Didier Capdevielle
Dec 15, 2017, 10:11:03 AM12/15/17
to CAS Community
Hi all,
I try since a too long time to make JWT Service Ticket works.
no problerm with dependencies cas-server-support-token-tickets (and cas-server-support-token-webflow) in pom.xml
In cas.properties (version 5.2.0, names of parameters have changed)
...
## JWT authentification :
#
# cas.authn.token.name=
# cas.authn.token.principalTransformation.pattern=(.+)@example.org
# cas.authn.token.principalTransformation.groovy.location=file:///etc/cas/config/principal.groovy
# cas.authn.token.principalTransformation.suffix=
# cas.authn.token.principalTransformation.caseConversion=NONE|UPPERCASE|LOWERCASE
# cas.authn.token.principalTransformation.prefix=
## JWT Service Tickets :
#
cas.authn.token.crypto.enabled=true
cas.authn.token.crypto.encryptionEnabled=true
cas.authn.token.crypto.signing.key=S......................(the signing key).....................................w
cas.authn.token.crypto.signing.keySize=512
cas.authn.token.crypto.encryption.key=Q........ (the encryption key) .....BM
cas.authn.token.crypto.encryption.keySize=256
cas.authn.token.crypto.alg=AES
...
Tests with a CAS client (php-cas) and JSON File for Service Registry :
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://v-testcas01.*",
"name" : "Service(s) Tickets JWT",
"id" : 10000008,
"evaluationOrder" : 15,
"properties" : {
"@class" : "java.util.HashMap",
"jwtAsServiceTicket" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "true" ] ]
}
}
}
What exactly do jwtAsServiceTicket vs jwtAsResponse ?
No errors in log : TGT then ST then ST Validate but after that, nothing. No trace of JWT (and TGC looks same).
How to be sure application received JWT and how to decrypt that ?
Where am i wrong in configuration ?
Many thanks for any help,
Best regards,
I try since a too long time to make JWT Service Ticket works.
no problerm with dependencies cas-server-support-token-tickets (and cas-server-support-token-webflow) in pom.xml
In cas.properties (version 5.2.0, names of parameters have changed)
...
## JWT authentification :
#
# cas.authn.token.name=
# cas.authn.token.principalTransformation.pattern=(.+)@example.org
# cas.authn.token.principalTransformation.groovy.location=file:///etc/cas/config/principal.groovy
# cas.authn.token.principalTransformation.suffix=
# cas.authn.token.principalTransformation.caseConversion=NONE|UPPERCASE|LOWERCASE
# cas.authn.token.principalTransformation.prefix=
## JWT Service Tickets :
#
cas.authn.token.crypto.enabled=true
cas.authn.token.crypto.encryptionEnabled=true
cas.authn.token.crypto.signing.key=S......................(the signing key).....................................w
cas.authn.token.crypto.signing.keySize=512
cas.authn.token.crypto.encryption.key=Q........ (the encryption key) .....BM
cas.authn.token.crypto.encryption.keySize=256
cas.authn.token.crypto.alg=AES
...
Tests with a CAS client (php-cas) and JSON File for Service Registry :
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://v-testcas01.*",
"name" : "Service(s) Tickets JWT",
"id" : 10000008,
"evaluationOrder" : 15,
"properties" : {
"@class" : "java.util.HashMap",
"jwtAsServiceTicket" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "true" ] ]
}
}
}
What exactly do jwtAsServiceTicket vs jwtAsResponse ?
No errors in log : TGT then ST then ST Validate but after that, nothing. No trace of JWT (and TGC looks same).
How to be sure application received JWT and how to decrypt that ?
Where am i wrong in configuration ?
Many thanks for any help,
Best regards,
Didier Capdevielle
Jan 8, 2018, 9:29:19 AM1/8/18
to CAS Community
from beyond the grave : happy new year !
Pascal Rigaux
Jan 31, 2018, 11:03:43 AM1/31/18
to cas-...@apereo.org
On 15/12/2017 16:11, Didier Capdevielle wrote:
> What exactly do jwtAsServiceTicket vs jwtAsResponse ?
jwtAsServiceTicket replaces jwtAsResponse.
> What exactly do jwtAsServiceTicket vs jwtAsResponse ?
(cf https://github.com/apereo/cas/commit/b163f59b2376a4cceda0640be91bbc895fac6f3e )
> No errors in log : TGT then ST then ST Validate but after that, nothing. No trace of JWT (and TGC looks same).
>
> How to be sure application received JWT and how to decrypt that ?
> Where am i wrong in configuration ?
On 5.2.2, I successfully got a JWT after adding
"properties" : {
"@class" : "java.util.HashMap",
"jwtAsResponse" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values" : [ "java.util.HashSet", [ "true" ] ]
}
}
in a service conf file
"values" : [ "java.util.HashSet", [ "true" ] ]
}
}
Pascal Rigaux
Jan 31, 2018, 12:01:21 PM1/31/18
to cas-...@apereo.org
Note that if you disable encryption with
cas.authn.token.crypto.encryptionEnabled=false
The payload will be double base64 encoded. I created a fix here: https://github.com/apereo/cas/pull/3179
--
Pascal Rigaux
Expert en développement et déploiement d'applications
DSIUN-SAS (service applications et services numériques)
Université Paris 1 Panthéon-Sorbonne - Centre Pierre Mendès France (PMF)
B 407 - 90, rue de Tolbiac - 75634 PARIS CEDEX 13 - FRANCE
Tél : 01 44 07 86 59
cas.authn.token.crypto.encryptionEnabled=false
The payload will be double base64 encoded. I created a fix here: https://github.com/apereo/cas/pull/3179
Pascal Rigaux
Expert en développement et déploiement d'applications
DSIUN-SAS (service applications et services numériques)
Université Paris 1 Panthéon-Sorbonne - Centre Pierre Mendès France (PMF)
B 407 - 90, rue de Tolbiac - 75634 PARIS CEDEX 13 - FRANCE
Tél : 01 44 07 86 59
Stefano Nucci
Mar 8, 2018, 6:11:20 AM3/8/18
to CAS Community
Hello I tried your fix but there are errors. Are you sure is ok?
Pascal Rigaux
Mar 8, 2018, 6:32:34 AM3/8/18
to cas-...@apereo.org
As written in the pull request: "not tested"
On 08/03/2018 12:11, Stefano Nucci wrote:
> Hello I tried your fix but there are errors. Are you sure is ok?
>
> Il giorno mercoledì 31 gennaio 2018 18:01:21 UTC+1, Pascal Rigaux ha scritto:
>
> Note that if you disable encryption with
>
> cas.authn.token.crypto.encryptionEnabled=false
>
> The payload will be double base64 encoded. I created a fix here: https://github.com/apereo/cas/pull/3179 <https://github.com/apereo/cas/pull/3179>
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org <mailto:cas-user+u...@apereo.org>.
> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d4be34d3-7f50-49ab-b3a0-9d60a7957c7c%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/d4be34d3-7f50-49ab-b3a0-9d60a7957c7c%40apereo.org?utm_medium=email&utm_source=footer>.
On 08/03/2018 12:11, Stefano Nucci wrote:
> Hello I tried your fix but there are errors. Are you sure is ok?
>
> Il giorno mercoledì 31 gennaio 2018 18:01:21 UTC+1, Pascal Rigaux ha scritto:
>
> Note that if you disable encryption with
>
> cas.authn.token.crypto.encryptionEnabled=false
>
>
>
> On 31/01/2018 17:01, Pascal Rigaux wrote:
> > On 15/12/2017 16:11, Didier Capdevielle wrote:
> >> What exactly do jwtAsServiceTicket vs jwtAsResponse ?
> >
> > jwtAsServiceTicket replaces jwtAsResponse.
> >
> > (cf https://github.com/apereo/cas/commit/b163f59b2376a4cceda0640be91bbc895fac6f3e <https://github.com/apereo/cas/commit/b163f59b2376a4cceda0640be91bbc895fac6f3e> )
>
> On 31/01/2018 17:01, Pascal Rigaux wrote:
> > On 15/12/2017 16:11, Didier Capdevielle wrote:
> >> What exactly do jwtAsServiceTicket vs jwtAsResponse ?
> >
> > jwtAsServiceTicket replaces jwtAsResponse.
> >
> >
> >> No errors in log : TGT then ST then ST Validate but after that, nothing. No trace of JWT (and TGC looks same).
> >>
> >> How to be sure application received JWT and how to decrypt that ?
> >> Where am i wrong in configuration ?
> >
> > Maybe you hit this issue https://github.com/apereo/cas/pull/3107 <https://github.com/apereo/cas/pull/3107> ?
> >> No errors in log : TGT then ST then ST Validate but after that, nothing. No trace of JWT (and TGC looks same).
> >>
> >> How to be sure application received JWT and how to decrypt that ?
> >> Where am i wrong in configuration ?
> >
> >
> > On 5.2.2, I successfully got a JWT after adding
> >
> > "properties" : {
> > "@class" : "java.util.HashMap",
> > "jwtAsResponse" : {
> > "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
> > "values" : [ "java.util.HashSet", [ "true" ] ]
> > }
> > }
> >
> > in a service conf file
> >
>
>
> --
> Pascal Rigaux
>
> Expert en développement et déploiement d'applications
> DSIUN-SAS (service applications et services numériques)
> Université Paris 1 Panthéon-Sorbonne - Centre Pierre Mendès France (PMF)
> B 407 - 90, rue de Tolbiac - 75634 PARIS CEDEX 13 - FRANCE
> Tél : 01 44 07 86 59
>
> --
> > On 5.2.2, I successfully got a JWT after adding
> >
> > "properties" : {
> > "@class" : "java.util.HashMap",
> > "jwtAsResponse" : {
> > "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
> > "values" : [ "java.util.HashSet", [ "true" ] ]
> > }
> > }
> >
> > in a service conf file
> >
>
>
> --
> Pascal Rigaux
>
> Expert en développement et déploiement d'applications
> DSIUN-SAS (service applications et services numériques)
> Université Paris 1 Panthéon-Sorbonne - Centre Pierre Mendès France (PMF)
> B 407 - 90, rue de Tolbiac - 75634 PARIS CEDEX 13 - FRANCE
> Tél : 01 44 07 86 59
>
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org <mailto:cas-user+u...@apereo.org>.
> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d4be34d3-7f50-49ab-b3a0-9d60a7957c7c%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/d4be34d3-7f50-49ab-b3a0-9d60a7957c7c%40apereo.org?utm_medium=email&utm_source=footer>.
jojoyoung
Mar 20, 2018, 5:42:40 AM3/20/18
to CAS Community
Run into the same issue, have you solved it?
在 2018年1月8日星期一 UTC+8下午10:29:19,Didier Capdevielle写道:
在 2018年1月8日星期一 UTC+8下午10:29:19,Didier Capdevielle写道:
nilesh choudhary
Mar 20, 2018, 6:48:56 AM3/20/18
to CAS Community
I faced the same issue. Unless you are using a CAS version where the double base64 encoding issue is fixed, please use below method to extract json payload from JWT tickets.
- Nilesh Choudhary
public static String getjsonPayloadFromJWT(String jwt) throws Exception{
Key key = new AesKey(signKey.getBytes(StandardCharsets.UTF_8));
JsonWebSignature jws = new JsonWebSignature();
try {
jws.setCompactSerialization(jwt);
} catch (JoseException e) {
e.printStackTrace();
throw new Exception();
}
jws.setKey(key);
boolean signatureVerified = false;
try {
signatureVerified = jws.verifySignature();
} catch (JoseException e) {
e.printStackTrace();
throw new Exception("JWT verification failed");
}
if(!signatureVerified)
throw new Exception("JWT verification failed");
// Bug in CAS. Double encoded payload
return new String(Base64.decodeBase64(Base64.decodeBase64(jws.getEncodedPayload().getBytes(StandardCharsets.UTF_8))), StandardCharsets.UTF_8);
}
Hope this helps.
Reply all
Reply to author
Forward
0 new messages