Signing is not enabled for [Token/JWT Tickets]. The cipher [RegisteredServiceJwtTicketCipherExecutor] will attempt to produce plain objects

201 views
Skip to first unread message

Cyrus Grissom

unread,
Jul 1, 2019, 9:37:32 AM7/1/19
to CAS Community
Hello,

I'm trying to validate a JWT produced by CAS (version 6.0.x) on the website https://jwt.io/#debugger. The answer is "Invalid Signature"

The documentation describing the flow I try to implement can be found here : https://apereo.github.io/cas/6.0.x/installation/Configure-ServiceTicket-JWT.html
Just to clarify, i'm trying to get a JWT instead of a Service Ticket after a successfull authentication and not trying to authenticate using a JWT.

I configured my "application.properties" file with these parameters

##
# JWT - Encrypt Tokens
#

cas.authn.token.crypto.enabled=true
cas.authn.token.crypto.encryptionEnabled=true
cas.authn.token.crypto.signingEnabled=true
cas.authn.token.crypto.encryption.key=xxxxxxxxxxxx (real chain replaced by xxxx!)
cas.authn.token.crypto.signing.key=xxxxxxxxxxx  (real chain replaced by xxxx!)


In the cas log, i have these information : 

INFO [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Signing is not enabled for [Token/JWT Tickets]. The cipher [RegisteredServiceJwtTicketCipherExecutor] will attempt to produce plain objects>

I cannot find how to correctly enable this featured for JWT.

Many thanks for your help,

Cyrus

Drew Liscomb

unread,
Aug 8, 2019, 5:13:05 PM8/8/19
to CAS Community
@Cyrus , FWIW, we have the same issue, but with 5.3.x.  The docs are confusing.  In our case, we have both:
cas.authn.token.crypto.encryptionEnabled=true
cas.authn.token.crypto.signingEnabled=true
but not
cas.authn.token.crypto.enabled=true
and that doesn't work either.

Drew

Drew Liscomb

unread,
Aug 8, 2019, 5:15:35 PM8/8/19
to CAS Community
Also, this was working in 5.1.3, but, of course, with the 'old style' properties, before the New Order with *.crypto.* was implemented.

Drew

William E.

unread,
Aug 9, 2019, 9:43:30 AM8/9/19
to CAS Community
We're on 5.3.11.  Struggled with this as well, could never find a third party tool or library that could validate the jwt generated by cas.  I even contact the maintainer of one of the python libs and he claims the cas generated JWT was invalid.  I was able to write my own java to validate based on code provided by cas:  https://apereo.github.io/cas/5.3.x/installation/Configure-ServiceTicket-JWT.html

cas.authn.token.crypto.enabled=true

cas.authn.token.crypto.encryptionEnabled=true

cas.authn.token.crypto.signing.key=<redacted>

cas.authn.token.crypto.encryption.key=<redacted>


Snippet from service configured to return jwt.  Note pre-5.3, somewhere, the property name was jwtAsServiceTicket vs. jwtAsResponse.


properties:

  {

    @class: java.util.LinkedHashMap

    jwtAsResponse:

    {

      @class: org.apereo.cas.services.DefaultRegisteredServiceProperty

      values:

      [

        java.util.HashSet

        [

          "true"

        ]

      ]

Reply all
Reply to author
Forward
0 new messages