search

ForgeRock / jwt-bearer-client

Sample JWT Bearer Client
6 stars 6 forks source link

Client gets an HTTP 400: "server_error" #1

Closed markcraig closed 10 years ago

markcraig commented 10 years ago

At present the client is broken somehow.

Headers:
{ "alg": "RS256" }
Claims:
{ "sub": "jwt-bearer-client", "aud": "http://openam.example.com:8088/openam", "iss": "jwt-bearer-client", "exp": "1414502149600" }
Signature:
OPk2zjnEbY1V65xTY6fJsliZRt_RjF41ub0wDjxASKzILkvKhrHNmHKFoZoR1Gpnr8xghlmVLHEo9StlDqEj69da4JHj5bCMNneCpvQj8jcr9W8Ln07rgZRImmurW3koR4EC5_BBA5Bqrp21BbTZBY3XZqKz2IsTeWKK6_ODezxTohUI80sx0MdLAyUxmjKLxflrer_ZXbbXwwJ6z0eUqI684u6erz_yT4S8lZhIAUv2kVTYse53jK2k7jDruBe4-EYn-wCTq48nPSGLJeg1JHMKHUPGSdYoNEaFHdw3M-dbacTt3CIGQzPrAmMXdFBdo1FS5pFQCq2GcxnebTleAQ

POSTing the following as a JWT bearer token:
eyAiYWxnIjogIlJTMjU2IiB9.eyAic3ViIjogImp3dC1iZWFyZXItY2xpZW50IiwgImF1ZCI6ICJodHRwOi8vb3BlbmFtLmV4YW1wbGUuY29tOjgwODgvb3BlbmFtIiwgImlzcyI6ICJqd3QtYmVhcmVyLWNsaWVudCIsICJleHAiOiAiMTQxNDUwMjE0OTYwMCIgfQ.OPk2zjnEbY1V65xTY6fJsliZRt_RjF41ub0wDjxASKzILkvKhrHNmHKFoZoR1Gpnr8xghlmVLHEo9StlDqEj69da4JHj5bCMNneCpvQj8jcr9W8Ln07rgZRImmurW3koR4EC5_BBA5Bqrp21BbTZBY3XZqKz2IsTeWKK6_ODezxTohUI80sx0MdLAyUxmjKLxflrer_ZXbbXwwJ6z0eUqI684u6erz_yT4S8lZhIAUv2kVTYse53jK2k7jDruBe4-EYn-wCTq48nPSGLJeg1JHMKHUPGSdYoNEaFHdw3M-dbacTt3CIGQzPrAmMXdFBdo1FS5pFQCq2GcxnebTleAQ

Response code: 400
{"error":"invalid_client","error_description":"Client authentication failed"}

I have not yet found the log message that tells me what is going wrong.

markcraig commented 10 years ago

Probably the use case is where the client is both client and resource owner (perhaps for its own profile).

markcraig commented 10 years ago

With https://github.com/markcraig/jwt-bearer-client/commit/e08c742595eb806dbc8e9de423a003e152701fba the client is getting a different error, and there's a stack trace in the ~/openam/openam/debug/OAuth2Provider log.

On the client side the output is now as follows:

POSTing the following as a JWT bearer token:
eyAidHlwIjogImp3dCIsICJhbGciOiAiUlMyNTYiIH0.eyAic3ViIjogImp3dC1iZWFyZXItY2xpZW50IiwgImF1ZCI6IFsgImh0dHA6Ly9vcGVuYW0uZXhhbXBsZS5jb206ODA4OC9vcGVuYW0iIF0sICJuYmYiOiAxNDE0NTg5NTU2LCAiaXNzIjogImp3dC1iZWFyZXItY2xpZW50IiwgImV4cCI6IDE0MTQ1OTA3NTYgfQ.csEE9PiSw7PFRREkj1DLb0w1vBpm1a68qoPkMINMr-nRRRo06sLfWBgACEvyIaDPhh6VVVv0gkdhO-_WIYjwZrYx1UG4oEm1kottUFDGTu5zeDlgPAj6TL568SH38iYy0PiqS_e-WRKF5YnT2eQBg-1nGawLYyXf7uCKBGRRNBRzC8QdIEhej17H4qePmgtDu4m_AmfLrja4lVx7A8SGKcjeK1YvbKhhdz03B7yd7Oyem57hxEzBKdEurEpbWyJ8bAHtwae-wOeXYPAX5s3zGVboi5dRqNmGP1Y1Et88YauQ1E3K2nXe6tZqYqNCEL1QdU35FsIp07dyzPIl_dDPgg

Response code: 400
{"error":"server_error","error_description":"server_error"}

The stack trace in the debug log shows OpenAM apparently failing to find the public key:

OAuth2Provider:10/29/2014 02:42:36:875 PM CET: Thread[http-bio-8088-exec-1,5,main]
ERROR: Unable to get Client Bearer Jwt Public key from repository
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException: ObjectIdentifier() -- data isn't an object ID (tag = -96)
    at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:205)
    at java.security.KeyFactory.generatePublic(KeyFactory.java:334)
    at org.forgerock.openam.oauth2.OpenAMClientRegistration.getClientJwtSigningHandler(OpenAMClientRegistration.java:309)
    at org.forgerock.oauth2.core.JwtBearerGrantTypeHandler.handle(JwtBearerGrantTypeHandler.java:60)
    at org.forgerock.oauth2.core.AccessTokenServiceImpl.requestAccessToken(AccessTokenServiceImpl.java:86)
    at org.forgerock.oauth2.restlet.TokenEndpointResource.token(TokenEndpointResource.java:79)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at org.restlet.resource.ServerResource.doHandle(ServerResource.java:503)
    at org.restlet.resource.ServerResource.post(ServerResource.java:1216)
    at org.restlet.resource.ServerResource.doHandle(ServerResource.java:592)
    at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:649)
    at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:348)
    at org.restlet.resource.ServerResource.handle(ServerResource.java:952)
    at org.restlet.resource.Finder.handle(Finder.java:246)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.routing.Router.doHandle(Router.java:431)
    at org.restlet.routing.Router.handle(Router.java:648)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.routing.Router.doHandle(Router.java:431)
    at org.restlet.routing.Router.handle(Router.java:648)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:155)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:211)
    at org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:84)
    at org.restlet.Application.handle(Application.java:381)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.routing.Router.doHandle(Router.java:431)
    at org.restlet.routing.Router.handle(Router.java:648)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.routing.Router.doHandle(Router.java:431)
    at org.restlet.routing.Router.handle(Router.java:648)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:211)
    at org.restlet.Component.handle(Component.java:392)
    at org.restlet.Server.handle(Server.java:516)
    at org.restlet.engine.ServerHelper.handle(ServerHelper.java:72)
    at org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:152)
    at org.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:1089)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.InvalidKeyException: IOException: ObjectIdentifier() -- data isn't an object ID (tag = -96)
    at sun.security.x509.X509Key.decode(X509Key.java:397)
    at sun.security.x509.X509Key.decode(X509Key.java:403)
    at sun.security.rsa.RSAPublicKeyImpl.<init>(RSAPublicKeyImpl.java:83)
    at sun.security.rsa.RSAKeyFactory.generatePublic(RSAKeyFactory.java:298)
    at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:201)
    ... 81 more

The updated client profile in OpenAM is, I hope, using the correct headers and footers now:

com.forgerock.openam.oauth2provider.clientJwtPublicKey=-----BEGIN PUBLIC KEY-----
MIIDETCCAfmgAwIBAgIEU8SXLjANBgkqhkiG9w0BAQsFADA5MRswGQYDVQQKExJvcGVuYW0uZXhh
bXBsZS5jb20xGjAYBgNVBAMTEWp3dC1iZWFyZXItY2xpZW50MB4XDTE0MTAyNzExNTY1NloXDTI0
MTAyNDExNTY1NlowOTEbMBkGA1UEChMSb3BlbmFtLmV4YW1wbGUuY29tMRowGAYDVQQDExFqd3Qt
YmVhcmVyLWNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAID4ZZ/DIGEBr4QC
2uz0GYFOCUlAPanxX21aYHSvELsWyMa7DJlD+mnjaF8cPRRMkhYZFXDJo/AVcjyblyT3ntqL+2Js
3D7TmS6BSjkxZWsJHyhJIYEoUwwloc0kizgSm15MwBMcbnksQVN5VWiOe4y4JMbi30t6k38lM62K
KtaSPP6jvnW1LTmL9uiqLWz54AM6hU3NlCI3J6Rfh8waBIPAEjmHZNquOl2uGgWumzubYDFJbomL
SQqO58RuKVaSVMwDbmENtMYWXIKQL2xTt5XAbwEQEgJ/zskwpA2aQt1HE6de3UymOhONhRiu4rk3
AIEnEVbxrvy4Ik+wXg7LZVsCAwEAAaMhMB8wHQYDVR0OBBYEFIuI7ejuZTg5tJsh1XyRopGOMBcs
MA0GCSqGSIb3DQEBCwUAA4IBAQBM/+/tYYVIS6LvPl3mfE8V7x+VPXqj/uK6UecAbfmRTrPk1ph+
jjI6nmLX9ncomYALWL/JFiSXcVsZt3/412fOqjakFVS0PmK1vEPxDlav1drnVA33icy1wORRRu5/
qA6mwDYPAZSbm5cDVvCR7Lt6VqJ+D0V8GABFxUw9IaX6ajTqkWhldY77usvNeTD0Xc4R7OqSBrnA
SNCaUlJogWyzhbFlmE9Ne28j4RVpbz/EZn0oc/cHTJ6Lryzsivf4uDO1m3M3kM/MUyXc1Zv3rqBj
TeGSgcqEAd6XlGXY1+M/yIeouUTi0F1bk1rNlqJvd57Xb4CEq17tVbGBm0hkECM8
-----END PUBLIC KEY-----
com.forgerock.openam.oauth2provider.clientType=Confidential
com.forgerock.openam.oauth2provider.contacts[0]=
com.forgerock.openam.oauth2provider.defaultScopes[0]=
com.forgerock.openam.oauth2provider.description[0]=
com.forgerock.openam.oauth2provider.idTokenSignedResponseAlg=HS256
com.forgerock.openam.oauth2provider.name[0]=
com.forgerock.openam.oauth2provider.redirectionURIs[0]=
com.forgerock.openam.oauth2provider.responseTypes[0]=code
com.forgerock.openam.oauth2provider.responseTypes[1]=token
com.forgerock.openam.oauth2provider.responseTypes[2]=id_token
com.forgerock.openam.oauth2provider.responseTypes[3]=code token
com.forgerock.openam.oauth2provider.responseTypes[4]=token id_token
com.forgerock.openam.oauth2provider.responseTypes[5]=code id_token
com.forgerock.openam.oauth2provider.responseTypes[6]=code token id_token
com.forgerock.openam.oauth2provider.scopes[0]=
sunIdentityServerDeviceStatus=Active
userpassword=password