Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-7887

Unsupported Signing Algorithm, SHA256withRSA with Google issued JWT's

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 12.0.3
    • Fix Version/s: None
    • Component/s: OpenID Connect
    • Labels:
      None
    • Environment:

      Description

      I have OpenAM 12.0.3 configured with multiple subrealms. In one of them, I've configured an OIDC authentication module, to delegate authentication and authorizations to Google.

      After successfull authentication in Google, my browser displays the "Authentication failed" page. The URI used to authenticate to OpenAM is /openam/UI/Login?realm=demo&module=Google

      When manually decoding the JWT returned by Google, it starts with:

      {"alg":"RS256","kid":"4a44d66f81bd7b2d6106035d5909d92441246a33"} {"iss":"accounts.google.com","at_hash":"bCuJbRWDHM1niQKzfxepQA","aud":"574231480884.apps.googleusercontent.com","sub":"105539256973534621243","email_verified":true,"azp":"574231480884.apps.googleusercontent.com","email":"cyril@openrock.org","iat":1450251645,"exp":1450255245}

      The Authentication debug log file contains the following stack trace:

      OAuth.process(): token=

      { "access_token" : "ya29.TAJ2pe46U-srJCytaaSYq5tWVz2kZ9s5dKQMRyEUYdyjD-yvt0K1VQaBMtTsYxj8-2Vv8g", "token_type" : "Bearer", "expires_in" : 3600, "id_token" : "eyJhbGciOiJSUzI1NiIsImtpZCI6IjRhNDRkNjZmODFiZDdiMmQ2MTA2MDM1ZDU5MDlkOTI0NDEyNDZhMzMifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiYXRfaGFzaCI6IkJEVVdyM0trVDdENUJfMmJNb1JQclEiLCJhdWQiOiI1NzQyMzE0ODA4ODQuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDU1MzkyNTY5NzM1MzQ2MjEyNDMiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXpwIjoiNTc0MjMxNDgwODg0LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiZW1haWwiOiJjeXJpbEBvcGVucm9jay5vcmciLCJpYXQiOjE0NTAyNTM0NDMsImV4cCI6MTQ1MDI1NzA0M30.p6kjnJ_DuRcT_019PONpF3W3S1b99eIczFaumsgMaeN3nKNIQMtzJuIq8Wah_GMK57Y_KzEDHpQYkbQejcspSEL3fD5bzNSbEJ35LL3aja2KnqZCvY33rERKzBiPfp5xzF5yFtlwClt0j-SDblEV8oPmaj1x8X8CZtLXw9wX6wIICpY0_3sIYSc-RLB5SiEeyeEKOwCrWg-qI-yQfXMvkcY3iq3UU7iskSLdgYGfqj37pl9lK5R7wdHA-8HB9I_LWAgLUh_RQOjQNCoXAkAkc22JEj7MDSNdjWo0mmt2cV_-RAHpaJ7vNS2e0oPVxpJpqCTuQvcUW4M9VEx6gkYKug"}

      amAuth:12/16/2015 08:08:04:870 AM UTC: Thread[http-bio-8443-exec-5,5,main]
      id_token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjRhNDRkNjZmODFiZDdiMmQ2MTA2MDM1ZDU5MDlkOTI0NDEyNDZhMzMifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiYXRfaGFzaCI6IkJEVVdyM0trVDdENUJfMmJNb1JQclEiLCJhdWQiOiI1NzQyMzE0ODA4ODQuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDU1MzkyNTY5NzM1MzQ2MjEyNDMiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXpwIjoiNTc0MjMxNDgwODg0LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiZW1haWwiOiJjeXJpbEBvcGVucm9jay5vcmciLCJpYXQiOjE0NTAyNTM0NDMsImV4cCI6MTQ1MDI1NzA0M30.p6kjnJ_DuRcT_019PONpF3W3S1b99eIczFaumsgMaeN3nKNIQMtzJuIq8Wah_GMK57Y_KzEDHpQYkbQejcspSEL3fD5bzNSbEJ35LL3aja2KnqZCvY33rERKzBiPfp5xzF5yFtlwClt0j-SDblEV8oPmaj1x8X8CZtLXw9wX6wIICpY0_3sIYSc-RLB5SiEeyeEKOwCrWg-qI-yQfXMvkcY3iq3UU7iskSLdgYGfqj37pl9lK5R7wdHA-8HB9I_LWAgLUh_RQOjQNCoXAkAkc22JEj7MDSNdjWo0mmt2cV_-RAHpaJ7vNS2e0oPVxpJpqCTuQvcUW4M9VEx6gkYKug
      amAuth:12/16/2015 08:08:04:889 AM UTC: Thread[http-bio-8443-exec-5,5,main]
      ERROR: JwsSigningException
      org.forgerock.json.jose.exceptions.JwsSigningException: Unsupported Signing Algorithm, SHA256withRSA
      at org.forgerock.json.jose.jws.handlers.HmacSigningHandler.signWithHMAC(HmacSigningHandler.java:73)
      at org.forgerock.json.jose.jws.handlers.HmacSigningHandler.verify(HmacSigningHandler.java:95)
      at org.forgerock.json.jose.jws.SignedJwt.verify(SignedJwt.java:180)
      at org.forgerock.jaspi.modules.openid.resolvers.SharedSecretOpenIdResolverImpl.verifySignature(SharedSecretOpenIdResolverImpl.java:76)
      at org.forgerock.jaspi.modules.openid.resolvers.SharedSecretOpenIdResolverImpl.validateIdentity(SharedSecretOpenIdResolverImpl.java:66)
      at org.forgerock.openam.authentication.modules.oidc.JwtHandler.validateJwt(JwtHandler.java:104)
      at org.forgerock.openam.authentication.modules.oauth2.OAuth.process(OAuth.java:277)
      at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1035)
      at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1209)
      at sun.reflect.GeneratedMethodAccessor83.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:606)
      at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:210)
      at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:123)
      at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:558)
      at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:699)
      at com.sun.identity.authentication.UI.LoginViewBean.processLoginDisplay(LoginViewBean.java:1367)
      at com.sun.identity.authentication.UI.LoginViewBean.processLogin(LoginViewBean.java:854)
      at com.sun.identity.authentication.UI.LoginViewBean.forwardTo(LoginViewBean.java:522)
      at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:981)
      at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
      at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.forgerock.openam.xui.XUIFilter.doFilter(XUIFilter.java:131)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
      at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1008)
      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
      at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      at java.lang.Thread.run(Thread.java:744)
      Caused by: java.security.NoSuchAlgorithmException: Algorithm SHA256withRSA not available
      at javax.crypto.Mac.getInstance(Mac.java:176)
      at org.forgerock.json.jose.jws.handlers.HmacSigningHandler.signWithHMAC(HmacSigningHandler.java:68)
      ... 48 more

      amLoginModule:12/16/2015 08:08:04:890 AM UTC: Thread[http-bio-8443-exec-5,5,main]
      WARNING: Cannot validate JWT
      com.sun.identity.authentication.spi.AuthLoginException: JWS token signing evaluation failure.
      at org.forgerock.openam.authentication.modules.oidc.JwtHandler.validateJwt(JwtHandler.java:126)
      at org.forgerock.openam.authentication.modules.oauth2.OAuth.process(OAuth.java:277)
      at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1035)
      at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1209)
      at sun.reflect.GeneratedMethodAccessor83.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:606)
      at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:210)
      at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:123)
      at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:558)
      at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:699)
      at com.sun.identity.authentication.UI.LoginViewBean.processLoginDisplay(LoginViewBean.java:1367)
      at com.sun.identity.authentication.UI.LoginViewBean.processLogin(LoginViewBean.java:854)
      at com.sun.identity.authentication.UI.LoginViewBean.forwardTo(LoginViewBean.java:522)
      at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:981)
      at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
      at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.forgerock.openam.xui.XUIFilter.doFilter(XUIFilter.java:131)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
      at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1008)
      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
      at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      at java.lang.Thread.run(Thread.java:744)

      amLoginModule:12/16/2015 08:08:04:890 AM UTC: Thread[http-bio-8443-exec-5,5,main]
      SETTING Failure Module name.... :Google
      amAuth:12/16/2015 08:08:04:891 AM UTC: Thread[http-bio-8443-exec-5,5,main]
      Module name is .. Google
      ...
      ...

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              cgrosjean Cyril Grosjean
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated: