Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-7887

Unsupported Signing Algorithm, SHA256withRSA with Google issued JWT's

    XMLWordPrintable

    Details

    • Bug
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 12.0.3
    • None
    • OpenID Connect
    • None
    • Rank:
      1|hzqqz3:

      Description

      I have OpenAM 12.0.3 configured with multiple subrealms. In one of them, I've configured an OIDC authentication module, to delegate authentication and authorizations to Google.

      After successfull authentication in Google, my browser displays the "Authentication failed" page. The URI used to authenticate to OpenAM is /openam/UI/Login?realm=demo&module=Google

      When manually decoding the JWT returned by Google, it starts with:

      {"alg":"RS256","kid":"4a44d66f81bd7b2d6106035d5909d92441246a33"} {"iss":"accounts.google.com","at_hash":"bCuJbRWDHM1niQKzfxepQA","aud":"574231480884.apps.googleusercontent.com","sub":"105539256973534621243","email_verified":true,"azp":"574231480884.apps.googleusercontent.com","email":"cyril@openrock.org","iat":1450251645,"exp":1450255245}

      The Authentication debug log file contains the following stack trace:

      OAuth.process(): token=

      { "access_token" : "ya29.TAJ2pe46U-srJCytaaSYq5tWVz2kZ9s5dKQMRyEUYdyjD-yvt0K1VQaBMtTsYxj8-2Vv8g", "token_type" : "Bearer", "expires_in" : 3600, "id_token" : "eyJhbGciOiJSUzI1NiIsImtpZCI6IjRhNDRkNjZmODFiZDdiMmQ2MTA2MDM1ZDU5MDlkOTI0NDEyNDZhMzMifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiYXRfaGFzaCI6IkJEVVdyM0trVDdENUJfMmJNb1JQclEiLCJhdWQiOiI1NzQyMzE0ODA4ODQuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDU1MzkyNTY5NzM1MzQ2MjEyNDMiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXpwIjoiNTc0MjMxNDgwODg0LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiZW1haWwiOiJjeXJpbEBvcGVucm9jay5vcmciLCJpYXQiOjE0NTAyNTM0NDMsImV4cCI6MTQ1MDI1NzA0M30.p6kjnJ_DuRcT_019PONpF3W3S1b99eIczFaumsgMaeN3nKNIQMtzJuIq8Wah_GMK57Y_KzEDHpQYkbQejcspSEL3fD5bzNSbEJ35LL3aja2KnqZCvY33rERKzBiPfp5xzF5yFtlwClt0j-SDblEV8oPmaj1x8X8CZtLXw9wX6wIICpY0_3sIYSc-RLB5SiEeyeEKOwCrWg-qI-yQfXMvkcY3iq3UU7iskSLdgYGfqj37pl9lK5R7wdHA-8HB9I_LWAgLUh_RQOjQNCoXAkAkc22JEj7MDSNdjWo0mmt2cV_-RAHpaJ7vNS2e0oPVxpJpqCTuQvcUW4M9VEx6gkYKug"}

      amAuth:12/16/2015 08:08:04:870 AM UTC: Thread[http-bio-8443-exec-5,5,main]
      id_token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjRhNDRkNjZmODFiZDdiMmQ2MTA2MDM1ZDU5MDlkOTI0NDEyNDZhMzMifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiYXRfaGFzaCI6IkJEVVdyM0trVDdENUJfMmJNb1JQclEiLCJhdWQiOiI1NzQyMzE0ODA4ODQuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDU1MzkyNTY5NzM1MzQ2MjEyNDMiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXpwIjoiNTc0MjMxNDgwODg0LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiZW1haWwiOiJjeXJpbEBvcGVucm9jay5vcmciLCJpYXQiOjE0NTAyNTM0NDMsImV4cCI6MTQ1MDI1NzA0M30.p6kjnJ_DuRcT_019PONpF3W3S1b99eIczFaumsgMaeN3nKNIQMtzJuIq8Wah_GMK57Y_KzEDHpQYkbQejcspSEL3fD5bzNSbEJ35LL3aja2KnqZCvY33rERKzBiPfp5xzF5yFtlwClt0j-SDblEV8oPmaj1x8X8CZtLXw9wX6wIICpY0_3sIYSc-RLB5SiEeyeEKOwCrWg-qI-yQfXMvkcY3iq3UU7iskSLdgYGfqj37pl9lK5R7wdHA-8HB9I_LWAgLUh_RQOjQNCoXAkAkc22JEj7MDSNdjWo0mmt2cV_-RAHpaJ7vNS2e0oPVxpJpqCTuQvcUW4M9VEx6gkYKug
      amAuth:12/16/2015 08:08:04:889 AM UTC: Thread[http-bio-8443-exec-5,5,main]
      ERROR: JwsSigningException
      org.forgerock.json.jose.exceptions.JwsSigningException: Unsupported Signing Algorithm, SHA256withRSA
      at org.forgerock.json.jose.jws.handlers.HmacSigningHandler.signWithHMAC(HmacSigningHandler.java:73)
      at org.forgerock.json.jose.jws.handlers.HmacSigningHandler.verify(HmacSigningHandler.java:95)
      at org.forgerock.json.jose.jws.SignedJwt.verify(SignedJwt.java:180)
      at org.forgerock.jaspi.modules.openid.resolvers.SharedSecretOpenIdResolverImpl.verifySignature(SharedSecretOpenIdResolverImpl.java:76)
      at org.forgerock.jaspi.modules.openid.resolvers.SharedSecretOpenIdResolverImpl.validateIdentity(SharedSecretOpenIdResolverImpl.java:66)
      at org.forgerock.openam.authentication.modules.oidc.JwtHandler.validateJwt(JwtHandler.java:104)
      at org.forgerock.openam.authentication.modules.oauth2.OAuth.process(OAuth.java:277)
      at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1035)
      at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1209)
      at sun.reflect.GeneratedMethodAccessor83.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:606)
      at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:210)
      at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:123)
      at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:558)
      at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:699)
      at com.sun.identity.authentication.UI.LoginViewBean.processLoginDisplay(LoginViewBean.java:1367)
      at com.sun.identity.authentication.UI.LoginViewBean.processLogin(LoginViewBean.java:854)
      at com.sun.identity.authentication.UI.LoginViewBean.forwardTo(LoginViewBean.java:522)
      at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:981)
      at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
      at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.forgerock.openam.xui.XUIFilter.doFilter(XUIFilter.java:131)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
      at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1008)
      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
      at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      at java.lang.Thread.run(Thread.java:744)
      Caused by: java.security.NoSuchAlgorithmException: Algorithm SHA256withRSA not available
      at javax.crypto.Mac.getInstance(Mac.java:176)
      at org.forgerock.json.jose.jws.handlers.HmacSigningHandler.signWithHMAC(HmacSigningHandler.java:68)
      ... 48 more

      amLoginModule:12/16/2015 08:08:04:890 AM UTC: Thread[http-bio-8443-exec-5,5,main]
      WARNING: Cannot validate JWT
      com.sun.identity.authentication.spi.AuthLoginException: JWS token signing evaluation failure.
      at org.forgerock.openam.authentication.modules.oidc.JwtHandler.validateJwt(JwtHandler.java:126)
      at org.forgerock.openam.authentication.modules.oauth2.OAuth.process(OAuth.java:277)
      at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1035)
      at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1209)
      at sun.reflect.GeneratedMethodAccessor83.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:606)
      at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:210)
      at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:123)
      at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:558)
      at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:699)
      at com.sun.identity.authentication.UI.LoginViewBean.processLoginDisplay(LoginViewBean.java:1367)
      at com.sun.identity.authentication.UI.LoginViewBean.processLogin(LoginViewBean.java:854)
      at com.sun.identity.authentication.UI.LoginViewBean.forwardTo(LoginViewBean.java:522)
      at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:981)
      at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
      at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.forgerock.openam.xui.XUIFilter.doFilter(XUIFilter.java:131)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
      at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1008)
      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
      at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      at java.lang.Thread.run(Thread.java:744)

      amLoginModule:12/16/2015 08:08:04:890 AM UTC: Thread[http-bio-8443-exec-5,5,main]
      SETTING Failure Module name.... :Google
      amAuth:12/16/2015 08:08:04:891 AM UTC: Thread[http-bio-8443-exec-5,5,main]
      Module name is .. Google
      ...
      ...

        Attachments

          Activity

            People

            Unassigned Unassigned
            cgrosjean Cyril Grosjean
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated: