JWT Oauth Token Exchange for CAS 7.1.2

[Ian Francis]

Greetings, I was doing a prototype of using CAS 7.1.2 to act as a provider for the Oauth Token Exchange flow. In my prototype I had established a service with the client_credentials flow so that I could easily retrieve an access token to use for the subject_token.

In my first attempt I had provided a JWT token with a subject_token_type of urn:ietf:params:oauth:token-type:jwt and I recieved an error stating that it was an invalid ticket like so:

   2024-12-27 16:06:59,279 ERROR [org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController] - <INVALID_TICKET
        AbstractTicketRegistry.java:getTicket:121
        DirectMethodHandleAccessor.java:invoke:103
        Method.java:invoke:580
        AopUtils.java:invokeJoinpointUsingReflection:355

I then changed my subject token to an opaque token and was able to get the exchange to work.

The next thing I tried was to supply the subject_token_type of urn:ietf:params:oauth:token-type:jwt and provide a jwt token as the subject_token. This time I bypassed the above error and encountered an issue where the CAS Token validator was expecting the "nbf" claim to be on the JWT. I looked through the code and documentation and could not find any ways to add the "nbf" claim into the JWT token. All of the JWT tokens I had generated from CAS using the client_credentials grant.

2024-12-27 13:33:52,652 ERROR [org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController] - <JWT missing required claims: [nbf]>
com.nimbusds.jwt.proc.BadJWTException: JWT missing required claims: [nbf]
        at com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier.verify(DefaultJWTClaimsVerifier.java:311)
        at org.apereo.cas.support.oauth.validator.token.OAuth20TokenExchangeGrantTypeTokenRequestValidator.extractRegisteredService(OAuth20TokenExchangeGrantTypeTokenRequestValidator.java:87)
        at org.apereo.cas.support.oauth.validator.token.OAuth20TokenExchangeGrantTypeTokenRequestValidator.validateInternal(OAuth20TokenExchangeGrantTypeTokenRequestValidator.java:53)
        at org.apereo.cas.support.oauth.validator.token.BaseOAuth20TokenRequestValidator.validate(BaseOAuth20TokenRequestValidator.java:72)
        at org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController.verifyAccessTokenRequest(OAuth20AccessTokenEndpointController.java:217)
        at org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController.handleRequest(OAuth20AccessTokenEndpointController.java:100)
        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)

From this I am ultimately trying to understand if CAS can be configured to support the token exchange grant when using JWT access tokens as the subject_token?

Let me know if I can provide any additional information.