Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15018

Encrypted stateless tokens contains zip header, even though should not be present if none

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 7.0.0
    • Fix Version/s: 6.5.2.3, 7.0.0, 6.5.3
    • Component/s: stateless
    • Labels:
    • Environment:
      OpenAM 7.0.0-SNAPSHOT (613b841653)
      JDK 1.8.0_201
      4.18.0-15-generic GNU/Linux
    • Support Ticket IDs:

      Description

      When you configured AM to provide oauth encrypted stateless access tokens, headers of such token contain:

      {"typ":"JWT","zip":"NONE","enc":"A128CBC-HS256","alg":"dir"}

      But according to specification RFC7516 (https://tools.ietf.org/html/rfc7516#page-12):

      The "zip" (compression algorithm) applied to the plaintext before encryption, if any. If no "zip" parameter is present, no compression is applied to the plaintext before encryption.

      This attribute causes troubles with using some libraries to decrypt jwt, namely python's jwcrypto.

      Asked in #am channel, bug already exists is Commons as COMMONS-111, however Neil Madden suggested to ask to AM bugs as well, to get triaged.

       

      Workaround
      Enable token compression

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              peter.major Peter Major [X] (Inactive)
              Reporter:
              jan.hajovsky Jan Hajovsky
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: