Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15950

JWT Profile OAuth, Client JWT Bearer Public Key has no effect


    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s:
    • Fix Version/s: None
    • Component/s: oauth2, samples
    • Labels:


      Bug description

      Following the instructions in 4.9. JWT Profile for OAuth 2.0 Authorization Grant does not lead to the documented outcome. It is not clear wether this is a documentation issue, or defect in the service.

      How to reproduce the issue

      • Generate rsa 2048 keypair
      • create client with client_id = jwt-bearer-client and secret = password, and Client JWT Bearer Public Key set to the generated public key, and public key selector to X509
      • Create a JWT signed with private key, header and payload are :
          "alg": "RS256",
          "typ": "JWT"
          "sub": "demo",
          "aud": "http://openam.example.com:8090/oauth2/access_token",
          "iss": "jwt-bearer-client",
          "exp": 1582065900
      • Issuing the request 
      curl -X POST \
      -H 'Content-Type: application/x-www-form-urlencoded' \
      -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer' \
      -d 'redirect_uri=http%3A%2F%2Fopendam.example.com' \
      -d 'client_id=jwt-bearer-client' \
      -d 'scope=test' \
      -d 'client_secret=password' \
      -d 'assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVC....' \

      e.g as explained in the documentation.

      Expected behaviour, something like:

      { "access_token": "vTQmGkLERCMx5j_UyPEe2CAas7k", "scope": "test", "token_type": "Bearer", "expires_in": 3599 }

      Current behaviour

      { "error_description": "Unknown JWT issuer", "error": "invalid_grant" }

      When configuring a JWT issuer: Agent ID = myJWTIssuer, Issuer: jwt-bearer-client, the outcome becomes :

      { "error_description": "JWT signature is invalid", "error": "invalid_grant" }

      And then setting the JWK Set in the issuer, access_token is provided:

          "access_token": "wr1wnCQBZeL9zQB7dEdmUNKqExg",
          "scope": "test",
          "token_type": "Bearer",
          "expires_in": 3599

       At the end, the field Client JWT Bearer Public Key in the  Signing and Encryption tab does not seem to have any effect, in contradiction to the documentation:

      Client JWT Bearer Public Key Certificate Specify the base64-encoded X509 certificate in PEM format. The certificate is never used during the signing process, but is used to obtain the client's JWT bearer public key. The client uses the private key to sign client authentication and access token request JWTs, while AM uses the public key for verification.

      It is not clear wether this is a documentation miss, or a feature that is obsolete, or regression after introducing the JWT issuer feature.





            • Assignee:
              phillcunnington Phill Cunnington
              patrickdiligent patrick diligent
            • Votes:
              3 Vote for this issue
              5 Start watching this issue


              • Created: