Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8269

"AuthId JWT Signature not valid" error in multi-instance deployments on 13

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 13.0.0
    • Fix Version/s: 13.5.0
    • Component/s: authentication
    • Labels:
    • Support Ticket IDs:

      Description

      In OpenAM 13.0.0 the authID token is signed by a random key generated when OpenAM starts. In a multi-instance deployment the keys are different and if the server where authentication takes place is different from the server where the authID was generated, the second server will not be able to validate the authID token and will generate the "AuthId JWT Signature not valid".

      I reproduced it the following way:

      • Set up a deployment with two openam 13.0.0
      • In Postman start authentication on server1 to openam.example.com:18080/openam/json/authenticate
      • for the second step when returning credentials switch to the second server openam2.example.com:28080/openam/json/authenticate?

      The answer I get is

      {
          "code": 400,
          "reason": "Bad Request",
          "message": "AuthId JWT Signature not valid"
      }
      

      When looking into the export configuration, the value that causes the issue is:

      <AttributeSchema cosQualifier="default"  i18nKey="a160"  isSearchable="no"  listOrder="natural"  name="iplanet-am-auth-hmac-signing-shared-secret"  resourceName="sharedSecret"  syntax="password"  type="single"  validator="RequiredValueValidator" >
                          <DefaultValues>
                              <DefaultValuesClassName className="org.forgerock.openam.sm.HmacSharedSecretDefaultValues" ></DefaultValuesClassName>
                          </DefaultValues>
                      </AttributeSchema>
      

      Workaround:

      Replacing that value by a static key fixes the problem. The key needs to be a 128 bit random string base64 encoded.

      To do that you can either use the console: under

      Realms > Edit realm > Authentication > Settings > Security  > Organization Authentication Signing Secret > Save
      

      or

      ssoadm set-realm-svc-attrs -u amadmin -f PATH_TO_PWD_FILE -s iPlanetAMAuthService -e / -a iplanet-am-auth-hmac-signing-shared-secret=BASE64_ENCODED_STRING
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sachiko Sachiko Wallace
                Reporter:
                nathalie.hoet Nathalie Hoet
              • Votes:
                0 Vote for this issue
                Watchers:
                11 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 6h
                  6h
                  Remaining:
                  Time Spent - 4h Remaining Estimate - 2h
                  2h
                  Logged:
                  Time Spent - 4h Remaining Estimate - 2h
                  4h