-
Type:
Bug
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: 12.0.3
-
Fix Version/s: None
-
Component/s: OpenID Connect
-
Labels:None
-
Environment:OpenAM 12.0.3-SNAPSHOT Build -1 (2015-December-07 11:22) compiled by myself from the sources (sources downloaded on 11/27 from the sustaining/12.0.x branch of the openam-sustaining fork repo on stash).
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) Client VM (build 24.45-b08, mixed mode)
Apache 7.0.40
Ubuntu 12.04.4 LTSOpenAM 12.0.3-SNAPSHOT Build -1 (2015-December-07 11:22) compiled by myself from the sources (sources downloaded on 11/27 from the sustaining/12.0.x branch of the openam-sustaining fork repo on stash). java version "1.7.0_45" Java(TM) SE Runtime Environment (build 1.7.0_45-b18) Java HotSpot(TM) Client VM (build 24.45-b08, mixed mode) Apache 7.0.40 Ubuntu 12.04.4 LTS
I have OpenAM 12.0.3 configured with multiple subrealms. In one of them, I've configured an OIDC authentication module, to delegate authentication and authorizations to Google.
After successfull authentication in Google, my browser displays the "Authentication failed" page. The URI used to authenticate to OpenAM is /openam/UI/Login?realm=demo&module=Google
When manually decoding the JWT returned by Google, it starts with:
{"alg":"RS256","kid":"4a44d66f81bd7b2d6106035d5909d92441246a33"} {"iss":"accounts.google.com","at_hash":"bCuJbRWDHM1niQKzfxepQA","aud":"574231480884.apps.googleusercontent.com","sub":"105539256973534621243","email_verified":true,"azp":"574231480884.apps.googleusercontent.com","email":"cyril@openrock.org","iat":1450251645,"exp":1450255245}The Authentication debug log file contains the following stack trace:
OAuth.process(): token=
{ "access_token" : "ya29.TAJ2pe46U-srJCytaaSYq5tWVz2kZ9s5dKQMRyEUYdyjD-yvt0K1VQaBMtTsYxj8-2Vv8g", "token_type" : "Bearer", "expires_in" : 3600, "id_token" : "eyJhbGciOiJSUzI1NiIsImtpZCI6IjRhNDRkNjZmODFiZDdiMmQ2MTA2MDM1ZDU5MDlkOTI0NDEyNDZhMzMifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiYXRfaGFzaCI6IkJEVVdyM0trVDdENUJfMmJNb1JQclEiLCJhdWQiOiI1NzQyMzE0ODA4ODQuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDU1MzkyNTY5NzM1MzQ2MjEyNDMiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXpwIjoiNTc0MjMxNDgwODg0LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiZW1haWwiOiJjeXJpbEBvcGVucm9jay5vcmciLCJpYXQiOjE0NTAyNTM0NDMsImV4cCI6MTQ1MDI1NzA0M30.p6kjnJ_DuRcT_019PONpF3W3S1b99eIczFaumsgMaeN3nKNIQMtzJuIq8Wah_GMK57Y_KzEDHpQYkbQejcspSEL3fD5bzNSbEJ35LL3aja2KnqZCvY33rERKzBiPfp5xzF5yFtlwClt0j-SDblEV8oPmaj1x8X8CZtLXw9wX6wIICpY0_3sIYSc-RLB5SiEeyeEKOwCrWg-qI-yQfXMvkcY3iq3UU7iskSLdgYGfqj37pl9lK5R7wdHA-8HB9I_LWAgLUh_RQOjQNCoXAkAkc22JEj7MDSNdjWo0mmt2cV_-RAHpaJ7vNS2e0oPVxpJpqCTuQvcUW4M9VEx6gkYKug"}amAuth:12/16/2015 08:08:04:870 AM UTC: Thread[http-bio-8443-exec-5,5,main]
id_token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjRhNDRkNjZmODFiZDdiMmQ2MTA2MDM1ZDU5MDlkOTI0NDEyNDZhMzMifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiYXRfaGFzaCI6IkJEVVdyM0trVDdENUJfMmJNb1JQclEiLCJhdWQiOiI1NzQyMzE0ODA4ODQuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDU1MzkyNTY5NzM1MzQ2MjEyNDMiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXpwIjoiNTc0MjMxNDgwODg0LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiZW1haWwiOiJjeXJpbEBvcGVucm9jay5vcmciLCJpYXQiOjE0NTAyNTM0NDMsImV4cCI6MTQ1MDI1NzA0M30.p6kjnJ_DuRcT_019PONpF3W3S1b99eIczFaumsgMaeN3nKNIQMtzJuIq8Wah_GMK57Y_KzEDHpQYkbQejcspSEL3fD5bzNSbEJ35LL3aja2KnqZCvY33rERKzBiPfp5xzF5yFtlwClt0j-SDblEV8oPmaj1x8X8CZtLXw9wX6wIICpY0_3sIYSc-RLB5SiEeyeEKOwCrWg-qI-yQfXMvkcY3iq3UU7iskSLdgYGfqj37pl9lK5R7wdHA-8HB9I_LWAgLUh_RQOjQNCoXAkAkc22JEj7MDSNdjWo0mmt2cV_-RAHpaJ7vNS2e0oPVxpJpqCTuQvcUW4M9VEx6gkYKug
amAuth:12/16/2015 08:08:04:889 AM UTC: Thread[http-bio-8443-exec-5,5,main]
ERROR: JwsSigningException
org.forgerock.json.jose.exceptions.JwsSigningException: Unsupported Signing Algorithm, SHA256withRSA
at org.forgerock.json.jose.jws.handlers.HmacSigningHandler.signWithHMAC(HmacSigningHandler.java:73)
at org.forgerock.json.jose.jws.handlers.HmacSigningHandler.verify(HmacSigningHandler.java:95)
at org.forgerock.json.jose.jws.SignedJwt.verify(SignedJwt.java:180)
at org.forgerock.jaspi.modules.openid.resolvers.SharedSecretOpenIdResolverImpl.verifySignature(SharedSecretOpenIdResolverImpl.java:76)
at org.forgerock.jaspi.modules.openid.resolvers.SharedSecretOpenIdResolverImpl.validateIdentity(SharedSecretOpenIdResolverImpl.java:66)
at org.forgerock.openam.authentication.modules.oidc.JwtHandler.validateJwt(JwtHandler.java:104)
at org.forgerock.openam.authentication.modules.oauth2.OAuth.process(OAuth.java:277)
at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1035)
at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1209)
at sun.reflect.GeneratedMethodAccessor83.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:210)
at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:123)
at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:558)
at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:699)
at com.sun.identity.authentication.UI.LoginViewBean.processLoginDisplay(LoginViewBean.java:1367)
at com.sun.identity.authentication.UI.LoginViewBean.processLogin(LoginViewBean.java:854)
at com.sun.identity.authentication.UI.LoginViewBean.forwardTo(LoginViewBean.java:522)
at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:981)
at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.forgerock.openam.xui.XUIFilter.doFilter(XUIFilter.java:131)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1008)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: java.security.NoSuchAlgorithmException: Algorithm SHA256withRSA not available
at javax.crypto.Mac.getInstance(Mac.java:176)
at org.forgerock.json.jose.jws.handlers.HmacSigningHandler.signWithHMAC(HmacSigningHandler.java:68)
... 48 more
amLoginModule:12/16/2015 08:08:04:890 AM UTC: Thread[http-bio-8443-exec-5,5,main]
WARNING: Cannot validate JWT
com.sun.identity.authentication.spi.AuthLoginException: JWS token signing evaluation failure.
at org.forgerock.openam.authentication.modules.oidc.JwtHandler.validateJwt(JwtHandler.java:126)
at org.forgerock.openam.authentication.modules.oauth2.OAuth.process(OAuth.java:277)
at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1035)
at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1209)
at sun.reflect.GeneratedMethodAccessor83.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:210)
at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:123)
at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:558)
at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:699)
at com.sun.identity.authentication.UI.LoginViewBean.processLoginDisplay(LoginViewBean.java:1367)
at com.sun.identity.authentication.UI.LoginViewBean.processLogin(LoginViewBean.java:854)
at com.sun.identity.authentication.UI.LoginViewBean.forwardTo(LoginViewBean.java:522)
at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:981)
at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.forgerock.openam.xui.XUIFilter.doFilter(XUIFilter.java:131)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1008)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
amLoginModule:12/16/2015 08:08:04:890 AM UTC: Thread[http-bio-8443-exec-5,5,main]
SETTING Failure Module name.... :Google
amAuth:12/16/2015 08:08:04:891 AM UTC: Thread[http-bio-8443-exec-5,5,main]
Module name is .. Google
...
...