search

ForgeRock / jwt-bearer-client

Sample JWT Bearer Client
6 stars 6 forks source link

Client gets an HTTP 400: "server_error" #1

Closed markcraig closed 9 years ago

markcraig commented 9 years ago

At present the client is broken somehow.

Headers:
{ "alg": "RS256" }
Claims:
{ "sub": "jwt-bearer-client", "aud": "http://openam.example.com:8088/openam", "iss": "jwt-bearer-client", "exp": "1414502149600" }
Signature:
OPk2zjnEbY1V65xTY6fJsliZRt_RjF41ub0wDjxASKzILkvKhrHNmHKFoZoR1Gpnr8xghlmVLHEo9StlDqEj69da4JHj5bCMNneCpvQj8jcr9W8Ln07rgZRImmurW3koR4EC5_BBA5Bqrp21BbTZBY3XZqKz2IsTeWKK6_ODezxTohUI80sx0MdLAyUxmjKLxflrer_ZXbbXwwJ6z0eUqI684u6erz_yT4S8lZhIAUv2kVTYse53jK2k7jDruBe4-EYn-wCTq48nPSGLJeg1JHMKHUPGSdYoNEaFHdw3M-dbacTt3CIGQzPrAmMXdFBdo1FS5pFQCq2GcxnebTleAQ

POSTing the following as a JWT bearer token:
eyAiYWxnIjogIlJTMjU2IiB9.eyAic3ViIjogImp3dC1iZWFyZXItY2xpZW50IiwgImF1ZCI6ICJodHRwOi8vb3BlbmFtLmV4YW1wbGUuY29tOjgwODgvb3BlbmFtIiwgImlzcyI6ICJqd3QtYmVhcmVyLWNsaWVudCIsICJleHAiOiAiMTQxNDUwMjE0OTYwMCIgfQ.OPk2zjnEbY1V65xTY6fJsliZRt_RjF41ub0wDjxASKzILkvKhrHNmHKFoZoR1Gpnr8xghlmVLHEo9StlDqEj69da4JHj5bCMNneCpvQj8jcr9W8Ln07rgZRImmurW3koR4EC5_BBA5Bqrp21BbTZBY3XZqKz2IsTeWKK6_ODezxTohUI80sx0MdLAyUxmjKLxflrer_ZXbbXwwJ6z0eUqI684u6erz_yT4S8lZhIAUv2kVTYse53jK2k7jDruBe4-EYn-wCTq48nPSGLJeg1JHMKHUPGSdYoNEaFHdw3M-dbacTt3CIGQzPrAmMXdFBdo1FS5pFQCq2GcxnebTleAQ

Response code: 400
{"error":"invalid_client","error_description":"Client authentication failed"}

I have not yet found the log message that tells me what is going wrong.

markcraig commented 9 years ago

Probably the use case is where the client is both client and resource owner (perhaps for its own profile).

markcraig commented 9 years ago

With https://github.com/markcraig/jwt-bearer-client/commit/e08c742595eb806dbc8e9de423a003e152701fba the client is getting a different error, and there's a stack trace in the ~/openam/openam/debug/OAuth2Provider log.

On the client side the output is now as follows:

POSTing the following as a JWT bearer token:
eyAidHlwIjogImp3dCIsICJhbGciOiAiUlMyNTYiIH0.eyAic3ViIjogImp3dC1iZWFyZXItY2xpZW50IiwgImF1ZCI6IFsgImh0dHA6Ly9vcGVuYW0uZXhhbXBsZS5jb206ODA4OC9vcGVuYW0iIF0sICJuYmYiOiAxNDE0NTg5NTU2LCAiaXNzIjogImp3dC1iZWFyZXItY2xpZW50IiwgImV4cCI6IDE0MTQ1OTA3NTYgfQ.csEE9PiSw7PFRREkj1DLb0w1vBpm1a68qoPkMINMr-nRRRo06sLfWBgACEvyIaDPhh6VVVv0gkdhO-_WIYjwZrYx1UG4oEm1kottUFDGTu5zeDlgPAj6TL568SH38iYy0PiqS_e-WRKF5YnT2eQBg-1nGawLYyXf7uCKBGRRNBRzC8QdIEhej17H4qePmgtDu4m_AmfLrja4lVx7A8SGKcjeK1YvbKhhdz03B7yd7Oyem57hxEzBKdEurEpbWyJ8bAHtwae-wOeXYPAX5s3zGVboi5dRqNmGP1Y1Et88YauQ1E3K2nXe6tZqYqNCEL1QdU35FsIp07dyzPIl_dDPgg

Response code: 400
{"error":"server_error","error_description":"server_error"}

The stack trace in the debug log shows OpenAM apparently failing to find the public key:

OAuth2Provider:10/29/2014 02:42:36:875 PM CET: Thread[http-bio-8088-exec-1,5,main]
ERROR: Unable to get Client Bearer Jwt Public key from repository
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException: ObjectIdentifier() -- data isn't an object ID (tag = -96)
    at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:205)
    at java.security.KeyFactory.generatePublic(KeyFactory.java:334)
    at org.forgerock.openam.oauth2.OpenAMClientRegistration.getClientJwtSigningHandler(OpenAMClientRegistration.java:309)
    at org.forgerock.oauth2.core.JwtBearerGrantTypeHandler.handle(JwtBearerGrantTypeHandler.java:60)
    at org.forgerock.oauth2.core.AccessTokenServiceImpl.requestAccessToken(AccessTokenServiceImpl.java:86)
    at org.forgerock.oauth2.restlet.TokenEndpointResource.token(TokenEndpointResource.java:79)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at org.restlet.resource.ServerResource.doHandle(ServerResource.java:503)
    at org.restlet.resource.ServerResource.post(ServerResource.java:1216)
    at org.restlet.resource.ServerResource.doHandle(ServerResource.java:592)
    at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:649)
    at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:348)
    at org.restlet.resource.ServerResource.handle(ServerResource.java:952)
    at org.restlet.resource.Finder.handle(Finder.java:246)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.routing.Router.doHandle(Router.java:431)
    at org.restlet.routing.Router.handle(Router.java:648)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.routing.Router.doHandle(Router.java:431)
    at org.restlet.routing.Router.handle(Router.java:648)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:155)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:211)
    at org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:84)
    at org.restlet.Application.handle(Application.java:381)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.routing.Router.doHandle(Router.java:431)
    at org.restlet.routing.Router.handle(Router.java:648)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.routing.Router.doHandle(Router.java:431)
    at org.restlet.routing.Router.handle(Router.java:648)
    at org.restlet.routing.Filter.doHandle(Filter.java:159)
    at org.restlet.routing.Filter.handle(Filter.java:206)
    at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:211)
    at org.restlet.Component.handle(Component.java:392)
    at org.restlet.Server.handle(Server.java:516)
    at org.restlet.engine.ServerHelper.handle(ServerHelper.java:72)
    at org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:152)
    at org.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:1089)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.InvalidKeyException: IOException: ObjectIdentifier() -- data isn't an object ID (tag = -96)
    at sun.security.x509.X509Key.decode(X509Key.java:397)
    at sun.security.x509.X509Key.decode(X509Key.java:403)
    at sun.security.rsa.RSAPublicKeyImpl.<init>(RSAPublicKeyImpl.java:83)
    at sun.security.rsa.RSAKeyFactory.generatePublic(RSAKeyFactory.java:298)
    at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:201)
    ... 81 more

The updated client profile in OpenAM is, I hope, using the correct headers and footers now:

com.forgerock.openam.oauth2provider.clientJwtPublicKey=-----BEGIN PUBLIC KEY-----
MIIDETCCAfmgAwIBAgIEU8SXLjANBgkqhkiG9w0BAQsFADA5MRswGQYDVQQKExJvcGVuYW0uZXhh
bXBsZS5jb20xGjAYBgNVBAMTEWp3dC1iZWFyZXItY2xpZW50MB4XDTE0MTAyNzExNTY1NloXDTI0
MTAyNDExNTY1NlowOTEbMBkGA1UEChMSb3BlbmFtLmV4YW1wbGUuY29tMRowGAYDVQQDExFqd3Qt
YmVhcmVyLWNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAID4ZZ/DIGEBr4QC
2uz0GYFOCUlAPanxX21aYHSvELsWyMa7DJlD+mnjaF8cPRRMkhYZFXDJo/AVcjyblyT3ntqL+2Js
3D7TmS6BSjkxZWsJHyhJIYEoUwwloc0kizgSm15MwBMcbnksQVN5VWiOe4y4JMbi30t6k38lM62K
KtaSPP6jvnW1LTmL9uiqLWz54AM6hU3NlCI3J6Rfh8waBIPAEjmHZNquOl2uGgWumzubYDFJbomL
SQqO58RuKVaSVMwDbmENtMYWXIKQL2xTt5XAbwEQEgJ/zskwpA2aQt1HE6de3UymOhONhRiu4rk3
AIEnEVbxrvy4Ik+wXg7LZVsCAwEAAaMhMB8wHQYDVR0OBBYEFIuI7ejuZTg5tJsh1XyRopGOMBcs
MA0GCSqGSIb3DQEBCwUAA4IBAQBM/+/tYYVIS6LvPl3mfE8V7x+VPXqj/uK6UecAbfmRTrPk1ph+
jjI6nmLX9ncomYALWL/JFiSXcVsZt3/412fOqjakFVS0PmK1vEPxDlav1drnVA33icy1wORRRu5/
qA6mwDYPAZSbm5cDVvCR7Lt6VqJ+D0V8GABFxUw9IaX6ajTqkWhldY77usvNeTD0Xc4R7OqSBrnA
SNCaUlJogWyzhbFlmE9Ne28j4RVpbz/EZn0oc/cHTJ6Lryzsivf4uDO1m3M3kM/MUyXc1Zv3rqBj
TeGSgcqEAd6XlGXY1+M/yIeouUTi0F1bk1rNlqJvd57Xb4CEq17tVbGBm0hkECM8
-----END PUBLIC KEY-----
com.forgerock.openam.oauth2provider.clientType=Confidential
com.forgerock.openam.oauth2provider.contacts[0]=
com.forgerock.openam.oauth2provider.defaultScopes[0]=
com.forgerock.openam.oauth2provider.description[0]=
com.forgerock.openam.oauth2provider.idTokenSignedResponseAlg=HS256
com.forgerock.openam.oauth2provider.name[0]=
com.forgerock.openam.oauth2provider.redirectionURIs[0]=
com.forgerock.openam.oauth2provider.responseTypes[0]=code
com.forgerock.openam.oauth2provider.responseTypes[1]=token
com.forgerock.openam.oauth2provider.responseTypes[2]=id_token
com.forgerock.openam.oauth2provider.responseTypes[3]=code token
com.forgerock.openam.oauth2provider.responseTypes[4]=token id_token
com.forgerock.openam.oauth2provider.responseTypes[5]=code id_token
com.forgerock.openam.oauth2provider.responseTypes[6]=code token id_token
com.forgerock.openam.oauth2provider.scopes[0]=
sunIdentityServerDeviceStatus=Active
userpassword=password