JWT Access Token signature is with unsupported algorithm (RS256)

[Bruce]

Using Pac4j-play I have an endpoint secured with a HeaderClient:

Security Module: 

HeaderClient headerClient = new HeaderClient(new JwtAuthenticator("secret"));
headerClient.setHeaderName("Authorization");
headerClient.setPrefixHeader("Bearer");

Controller:

@RequiresAuthentication(clientName = "HeaderClient")
//controller method

I have an android app that will authenticate using OpenId Connect flow but will send Bearer (Access) Tokens to access the secured API.  If everything sounds OK so far...

Our Identity provider is returning JWT tokens using JWS algorithm RS256 but it looks like org.pac4j.jwt.credentials.authenticator.JwtAuthenticator only supports using the HMAC based algorithms.  Is there an easy way to configure this to support RS256?

thanks.

The error I'm getting for reference:

com.nimbusds.jose.JOSEException: Unsupported JWS algorithm RS256, must be HS256, HS384 or HS512

at com.nimbusds.jose.crypto.MACProvider.getJCAAlgorithmName(MACProvider.java:71) ~[nimbus-jose-jwt-4.11.2.jar:4.11.2]

at com.nimbusds.jose.crypto.MACVerifier.verify(MACVerifier.java:151) ~[nimbus-jose-jwt-4.11.2.jar:4.11.2]

at com.nimbusds.jose.JWSObject.verify(JWSObject.java:337) ~[nimbus-jose-jwt-4.11.2.jar:4.11.2]

at org.pac4j.jwt.credentials.authenticator.JwtAuthenticator.validate(JwtAuthenticator.java:116) ~[pac4j-jwt-1.8.5.jar:na]

[Jérôme LELEU]

Hi,

Looks good to me. You should use the setJwsAlgorithm method with JWSAlgorithm.RS256 parameter (on the JwtGenerator) to use the JWS algorithm RS256.

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Bruce]

Thanks for the response.  

We are not generating the JWT, our IdP is generating it using RS256 algorithm, then it is passed from our app to our pac4j-secured server.

Since we already have it generated with RS256, can the algorithm be selected using JwtAuthenticator?  Maybe I'm missing something.

thanks

[Jérôme LELEU]

Hi,

You're not missing anything, I just made a test trying to use RS256 with the JwtGenerator and it fails: Caused by: com.nimbusds.jose.JOSEException: The "RS256" algorithm is not allowed or supported by the JWS signer

I will check with the author of the library and let you know.

Thanks.

Best regards,

Jérôme

--

[Bruce]

Thanks!

[Jérôme LELEU]

Hi,

Here is the explanation: no issue with the underlying library (nimbus-jose-jwt), but the signer and verifier and hard coded as HMAC ones so they only support HMAC algorithms.

So you can use HS256, HS384 and HS512, but currently not RSxxx or ECxxx. I opened an issue: https://github.com/pac4j/pac4j/issues/454 to address that in pac4j v1.9.

Thanks.

Best regards,

Jérôme

2016-01-20 20:47 GMT+01:00 Bruce <batte...@gmail.com>:

Thanks!

[Forrest Brazeal]

Hello,

I'm trying to use a HeaderClient like the one in Bruce's original post. When I submit a request using the Authorization header with Bearer set to a valid JWT, I'm getting the following error:

org.pac4j.core.exception.TechnicalException: Cannot decrypt / verify JWT

       ...

Caused by: com.nimbusds.jose.JOSEException: AES/GCM/NoPadding decryption failed: Tag mismatch!

Note: this is how I create my token -

JwtGenerator generator = new JwtGenerator(JWT_SALT);

                String token = "";

                if (profile != null) {

                        token = generator.generate(profile);

                }

Any idea what would be causing this?

[Bruce]

I also had problems with the code that is in my original post above.  I had to change the following line:

headerClient.setPrefixHeader("Bearer");

To this, the only difference is a space after the word Bearer to correctly parse how the actual header comes in.  Try updating that.

headerClient.setPrefixHeader("Bearer ");

[Forrest Brazeal]

Thanks Bruce, that was it!