Error “can not get encryption KEK” when trying to encrypt id token
Visto 1.107 veces
Saltar al primer mensaje no leído
Jesse Pitkanen
8 oct 2021, 10:55:118/10/21
a keyclo...@googlegroups.com
Hello,
Working on Brazilian OB requirements, got this:
I've a client registered on keycloak that uses JWKS URK as key (https://keystore.sandbox.directory.openbankingbrasil.org.br/8292c33e-d95a-5fe7-8f27-dd7a95c68b55/9b944914-5ca5-431a-b30f-8e2f5d9c46aa/application.jwks).
It's working correctly when doing authentication through my authorization endpoint (/auth). I send a encrypted request object to my authorization endpoint and it can decrypt and validate without problems and returns the code and id_token.
There's a new requirement to return an encrypted id_token instead of just base64 format, so I've set the options below on keycloak client at Fine Grain OpenID Connect Configuration section:
ID Token Signature Algorithm=PS256
ID Token Encryption Key Management Algorithm=RSA-OAEP
ID Token Encryption Content Encryption Algorithm=A256GCM
After set these properties, when trying to authenticate I'm receving the message "Unexpected error when handling authentication request to identity provider" and in the keycloak logs I can see the error "KC-SERVICES0013: Failed authentication: java.lang.RuntimeException: can not get encryption KEK"
I really don't know what's missing on my configuration or maybe on my JWKS file.
It's working correctly when doing authentication through my authorization endpoint (/auth). I send a encrypted request object to my authorization endpoint and it can decrypt and validate without problems and returns the code and id_token.
There's a new requirement to return an encrypted id_token instead of just base64 format, so I've set the options below on keycloak client at Fine Grain OpenID Connect Configuration section:
ID Token Signature Algorithm=PS256
ID Token Encryption Key Management Algorithm=RSA-OAEP
ID Token Encryption Content Encryption Algorithm=A256GCM
After set these properties, when trying to authenticate I'm receving the message "Unexpected error when handling authentication request to identity provider" and in the keycloak logs I can see the error "KC-SERVICES0013: Failed authentication: java.lang.RuntimeException: can not get encryption KEK"
I really don't know what's missing on my configuration or maybe on my JWKS file.
Regards!
Jesse J Pitkänen
乗松隆志 / NORIMATSU,TAKASHI
8 oct 2021, 18:19:108/10/21
a Jesse Pitkanen,keyclo...@googlegroups.com
Hello Jesse,
Could you check the following two points?
1. key use field
To encrypt ID token by your client public key, you need to tell keycloak that the key is used for KEK (Key Encryption Key).
I have found that your key’s use field is
"use":"sig"
Could you change it as follows?
"use":"enc"
2. use JWKS URI client setting
To make keycloak get your public key, you need to ask keycloak to do so.
Login to keycloak as admin.
Move to the following page.
Clients -> [your app] -> Keys
Set the following switch to ON.
Use JWKS URL
Enter the URL through which you provide your keys to the following setting box.
JWKS URL
Regards,
Takashi Norimatsu
Hitachi, Ltd.
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
keycloak-dev...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/keycloak-dev/CAOZXnhStgxrK31_7zagYO31Mu1wAc2B5QuQHq81%3DkJVCNpEKUA%40mail.gmail.com.
Ranieri Mazili de Oliveira
11 oct 2021, 8:57:1711/10/21
a Keycloak Dev
Hello Takashi, thanks for your help. I'm working with Jesse on this issue and I've tried to apply your solution but it didn't work yet, but I think we're close...
To have a JWKS with enc setted, I've made a copy of the original file and have duplicated the keys, replacing sig by enc.
You can see the new JWKS file here: https://raw.githubusercontent.com/ranierimazili/tempfiles/master/client_with_enc.jwks
Then I changed my client to use this file as you mentioned at step 2.
When running the test I see the following error on the logs:
2021-10-11 12:31:44,374 WARN [org.keycloak.keys.infinispan.InfinispanPublicKeyStorageProvider] (default task-111) PublicKey wasn't found in the storage. Requested kid: 'null'. Available kids: '[TIP3MNUwy3RI3XU7d9F05NkYbiSwGVasssqg_nj2Bmk, 7dzPOnvHjVdQlYRTkC8BsGELIQ-D00jIBiyeJCcXkUQ]'
2021-10-11 12:31:44,374 WARN [org.keycloak.services] (default task-111) KC-SERVICES0013: Failed authentication: java.lang.RuntimeException: can not get encryption KEK
at org.keycloak.jose.jws.DefaultTokenManager.getEncryptedToken(DefaultTokenManager.java:261)
at org.keycloak.jose.jws.DefaultTokenManager.encodeAndEncrypt(DefaultTokenManager.java:234)
at org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.build(TokenManager.java:1102)
at org.keycloak.protocol.oidc.OIDCLoginProtocol.authenticated(OIDCLoginProtocol.java:263)
at org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow(AuthenticationManager.java:921)
at org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow(AuthenticationManager.java:869)
at org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions(AuthenticationManager.java:1022)
at org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:1086)
Before add the enc keys, the available kids was an empty array, now it's listing my kids but the it's showing that the requested kid is null... where should send the requested kid for encryption?
乗松隆志 / NORIMATSU,TAKASHI
11 oct 2021, 19:36:4211/10/21
a Ranieri Mazili de Oliveira,Keycloak Dev
Hello Ranieri,
I've looked into InfinispanPublicKeyStorageProvider.java and its related classes.
Could you check the following two points?
1. key "alg" field
Here I assume that you used RSA-OAEP for encrypting CEK.
https://datatracker.ietf.org/doc/html/rfc7518#section-4.1
Could you add the following "alg" field to your "enc" key?
"alg":"RSA-OAEP"
2. client app setting for ID token encryption
Could you login to keycloak's admin console and make sure the following setting?
Clients
->[your client app]
->Fine Grain OpenID Connect Configuration
->ID Token Encryption Key Management Algorithm
RSA-OAEP
Also note that it might be better to use unique "kid" for each key even if its "use" is different.
Regards,
Takashi Norimatsu
Hitachi, Ltd.
I've a client registered on keycloak that uses JWKS URK as key (https://secure-web.cisco.com/1n0mLBfpU45H5tUy07Gv_-kmbS-XZS616ufbv8JQKv-wFZcxT8VJ7tMyxn2OIYpap5_RJJp25AUV9CkSLsPVJCf1pi7LV-9qJOKtVb-tcqOxCfaUKo4sFQBJtl7d_Ju7y9ZogFuSvT84tCnl-rsmX3r2-FMvfbefv7LStW_ARXlDdxQmc00Q6UiWuRnvQuF6eNnhhUJAVRrXdPl3Mv4B63vOAn9WVjaJYErXzSB0rTs9qAIj7kgT6tahddpgqrIr3KxcFhzxGSK_NJxOD89fNhQ7Sz_ighifUtNc9Vgr5aRU1g99DMgsvhQ6HgsNy5UP7N-6Z3AyQ01u_rRNHcc831w/https%3A%2F%2Fkeystore.sandbox.directory.openbankingbrasil.org.br%2F8292c33e-d95a-5fe7-8f27-dd7a95c68b55%2F9b944914-5ca5-431a-b30f-8e2f5d9c46aa%2Fapplication.jwks).
It's working correctly when doing authentication through my authorization endpoint (/auth). I send a encrypted request object to my authorization endpoint and it can decrypt and validate without problems and returns the code and id_token.
There's a new requirement to return an encrypted id_token instead of just base64 format, so I've set the options below on keycloak client at Fine Grain OpenID Connect Configuration section:
ID Token Signature Algorithm=PS256
ID Token Encryption Key Management Algorithm=RSA-OAEP
ID Token Encryption Content Encryption Algorithm=A256GCM
After set these properties, when trying to authenticate I'm receving the message "Unexpected error when handling authentication request to identity provider" and in the keycloak logs I can see the error "KC-SERVICES0013: Failed authentication: java.lang.RuntimeException: can not get encryption KEK"
I really don't know what's missing on my configuration or maybe on my JWKS file.
Regards!
Jesse J Pitkänen
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://secure-web.cisco.com/1gcwy14ESIiYLGOjNZghpWLaIclJr0zLgUx5MsDNEZ2YZQbpt_jcztqXndyRUa-Hqcb6HcRhl2nV8wFZud3O47f0IgtdZKqyysvMRCOHOM2L_V1KPYRWIA_u3RZMGJMCHgU4uc1s5a-oJXnNG0gVYfhS5CVDF4n22Kp6AuoLBqfxz8UBdcaAiAcA0vB7DXWnToGCfTQFH5wzGTLm_VcTBtDkCkY0rrS5zdDykWvSNJPYyPY8QpIiv5Rn4WZy0trwEpsUzMLXnHLRZC0vpBjjJzM3vRhVzgB-cIgBg5Vx7oIavGuNlNyv6ENTDbECJL1Qg6nVvtRFfpbBMFX8ChWbvxA/https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fkeycloak-dev%2FCAOZXnhStgxrK31_7zagYO31Mu1wAc2B5QuQHq81%253DkJVCNpEKUA%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter.
To view this discussion on the web visit https://secure-web.cisco.com/1XJNEfBewKk5Ck4Hlw1NKKe81OIrDRdpSlja67227UYJlArk5H-6_XXR8qQ6a5AlOzk2VAXCdDEpP943QQYjjuudrnTScXDfZ5XaMpRRyl51gCosYUMQ2AEHVV1bnGy-bldey1ygmktw2znW2PyCbWbiXH2uNIsVaXR54d9yiL4eHPbLsx04FaJs18ryWwt7D3iZerZ6aTJsrhb-BhafkTUvkGWsXT35E8g23gpd_hVXCj1_fM4EtU4S76OQOtBWo7GGTwc4GSf-pJuKTNdvBHEEYneRAPzO31l64jYK-yBJ-aDhqOGyk5Wi3-XxJbzkCHCdU6-pWbCcPA_hjKax-fw/https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fkeycloak-dev%2F712a8042-895d-44ef-ab85-9ef05b8387aan%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter.
I've looked into InfinispanPublicKeyStorageProvider.java and its related classes.
Could you check the following two points?
Here I assume that you used RSA-OAEP for encrypting CEK.
https://datatracker.ietf.org/doc/html/rfc7518#section-4.1
Could you add the following "alg" field to your "enc" key?
"alg":"RSA-OAEP"
2. client app setting for ID token encryption
Could you login to keycloak's admin console and make sure the following setting?
Clients
->[your client app]
->Fine Grain OpenID Connect Configuration
->ID Token Encryption Key Management Algorithm
RSA-OAEP
Also note that it might be better to use unique "kid" for each key even if its "use" is different.
Regards,
Takashi Norimatsu
Hitachi, Ltd.
It's working correctly when doing authentication through my authorization endpoint (/auth). I send a encrypted request object to my authorization endpoint and it can decrypt and validate without problems and returns the code and id_token.
There's a new requirement to return an encrypted id_token instead of just base64 format, so I've set the options below on keycloak client at Fine Grain OpenID Connect Configuration section:
ID Token Signature Algorithm=PS256
ID Token Encryption Key Management Algorithm=RSA-OAEP
ID Token Encryption Content Encryption Algorithm=A256GCM
After set these properties, when trying to authenticate I'm receving the message "Unexpected error when handling authentication request to identity provider" and in the keycloak logs I can see the error "KC-SERVICES0013: Failed authentication: java.lang.RuntimeException: can not get encryption KEK"
I really don't know what's missing on my configuration or maybe on my JWKS file.
Regards!
Jesse J Pitkänen
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mailto:keycloak-dev...@googlegroups.com.
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To view this discussion on the web visit https://secure-web.cisco.com/1XJNEfBewKk5Ck4Hlw1NKKe81OIrDRdpSlja67227UYJlArk5H-6_XXR8qQ6a5AlOzk2VAXCdDEpP943QQYjjuudrnTScXDfZ5XaMpRRyl51gCosYUMQ2AEHVV1bnGy-bldey1ygmktw2znW2PyCbWbiXH2uNIsVaXR54d9yiL4eHPbLsx04FaJs18ryWwt7D3iZerZ6aTJsrhb-BhafkTUvkGWsXT35E8g23gpd_hVXCj1_fM4EtU4S76OQOtBWo7GGTwc4GSf-pJuKTNdvBHEEYneRAPzO31l64jYK-yBJ-aDhqOGyk5Wi3-XxJbzkCHCdU6-pWbCcPA_hjKax-fw/https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fkeycloak-dev%2F712a8042-895d-44ef-ab85-9ef05b8387aan%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter.
Ranieri Mazili de Oliveira
13 oct 2021, 10:16:2613/10/21
a Keycloak Dev
Thanks
Takashi, it's working now... I had to add the alg attribute on jwks file.
Thanks again for your support.
Kannan Rasappan
7 feb 2023, 23:07:137/2/23
a Keycloak Dev
Hi Ranieri & Jesse
I stumbled on this for our work on Brazil OB/F
* Were you able to edit the JWKS to include "alg" on the Directory after the cert import?
* Did you pursue any fixes to Keycloak just for OBBR?
Could you let help us with your response?
Could you let help us with your response?
Many thanks
Kannan
==
==
{
"keys": [
{
"kty": "RSA",
"use": "enc",
"alg":"RSA-OAEP",
"n": "tQswhl...O2Dq9XmsQ",
"e": "AQAB",
"kid": "d9ee054ce5d48ea0dac801e9795eb631e25eedb20f84fc2eeb8d8e72570bab8d"
}
...
Jesse Pitkanen
9 feb 2023, 6:28:599/2/23
a Kannan Rasappan,Keycloak Dev
Hi Kannan,
I don't remember what was the final solution, but i believe you can achieve this in 2 ways:
1) You can edit Keycloak source code to reflect what you want in the /auth/realms/YOUR_REALM/protocol/openid-connect/certs;
2) You can have a reverse proxy in front of your AS that points to a static json file when someone requests the cert endpoint.
Regards,
Jesse
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/f0a869bd-47a1-49c2-9b3b-5c574f63d6a3n%40googlegroups.com.
Responder a todos
Responder al autor
Reenviar
0 mensajes nuevos