Closed sahilIT2020 closed 5 years ago
yuriyz
commented
5 years ago Issue appears because on ce-dev4 by default keys were not re-generated by oxauth (Mustafa corrected it already and it should be available in next build). For now as discussed in chat, please update your keystore file and persistence as described here: https://github.com/GluuFederation/support-docs/blob/master/troubleshooting/oxAuth/oxAuth_key_regeneration.md
sahilIT2020
commented
5 years ago I Just followed the steps and getting same error on ce-dev4
2019-07-30 23:04:52,524 INFO [qtp1749186397-20] [gluu.oxauth.register.ws.rs.RegisterRestWebServiceImpl] (RegisterRestWebServiceImpl.java:151) - Attempting to register client: applicationType = web, clientName = Dynamically Registered Client, redirectUris = [https://localhost/openid/javascript-sample/login-callback.html], isSecure = true, sectorIdentifierUri = , defaultAcrValues = []
2019-07-30 23:04:52,574 INFO [qtp1749186397-20] [gluu.oxauth.register.ws.rs.RegisterRestWebServiceImpl] (RegisterRestWebServiceImpl.java:256) - Client registered: clientId = 82723cc0-7dc0-4cef-9cad-972398f3a295, applicationType = web, clientName = Dynamically Registered Client, redirectUris = [https://localhost/openid/javascript-sample/login-callback.html], sectorIdentifierUri = null
2019-07-30 23:04:57,579 ERROR [qtp1749186397-12] [org.gluu.oxauth.model.common.AuthorizationGrant] (AuthorizationGrant.java:266) - Supplied key (null) is not a RSAPrivateKey instance
java.security.InvalidKeyException: Supplied key (null) is not a RSAPrivateKey instance
at org.bouncycastle.jcajce.provider.asymmetric.rsa.DigestSignatureSpi.engineInitSign(Unknown Source) ~[bcprov-jdk15on-1.54.jar:1.54.0]
at java.security.Signature$Delegate.engineInitSign(Signature.java:1177) ~[?:1.8.0_221]
at java.security.Signature.initSign(Signature.java:530) ~[?:1.8.0_221]
at org.gluu.oxauth.model.crypto.OxAuthCryptoProvider.sign(OxAuthCryptoProvider.java:217) ~[oxauth-model-4.0.b1.jar:?]
at org.gluu.oxauth.model.crypto.AbstractCryptoProvider$Proxy$_$$_WeldClientProxy.sign(Unknown Source) ~[oxauth-model-4.0.b1.jar:?]I've detected the problem, following command produced json that doesn't match jks
/opt/jre/bin/java -Dlog4j.defaultInitOverride=true -cp "/home/jetty/lib/*" org.gluu.oxauth.util.KeyGenerator -keystore oxauth-keys.jks -keypasswd KHw8a8rFD6pG -sig_keys RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512 RSA1_5 RSA-OAEP -enc_keys RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512 RSA1_5 RSA-OAEP -dnname "CN=oxAuth CA Certificates" -expiration 365 > oxauth-keys.jsonFixed in beta2.
sahilIT2020
commented
5 years ago I am getting this error in Beta2, do I need to generate keys again?
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]
2019-08-14 02:11:58,852 ERROR [qtp105704967-80580] [org.gluu.oxauth.model.crypto.OxAuthCryptoProvider] (OxAuthCryptoProvider.java:211) - Failed to find private key by kid: 3d781b5f-1f63-4ecb-8d45-94bbd719418e_sig_rs256, signatureAlgorithm: RS256(check whether web keys JSON in persistence corresponds to keystore file.)
2019-08-14 02:11:58,853 ERROR [qtp105704967-80580] [org.gluu.oxauth.model.common.AuthorizationGrant] (AuthorizationGrant.java:266) - Failed to find private key by kid: 3d781b5f-1f63-4ecb-8d45-94bbd719418e_sig_rs256, signatureAlgorithm: RS256(check whether web keys JSON in persistence corresponds to keystore file.)
java.lang.RuntimeException: Failed to find private key by kid: 3d781b5f-1f63-4ecb-8d45-94bbd719418e_sig_rs256, signatureAlgorithm: RS256(check whether web keys JSON in persistence corresponds to keystore file.)
at org.gluu.oxauth.model.crypto.OxAuthCryptoProvider.sign(OxAuthCryptoProvider.java:212) ~[oxauth-model-4.0.b2.jar:?]
at org.gluu.oxauth.model.crypto.AbstractCryptoProvider$Proxy$_$$_WeldClientProxy.sign(Unknown Source) ~[oxauth-model-4.0.b2.jar:?]
at org.gluu.oxauth.model.token.JwtSigner.sign(JwtSigner.java:86) ~[classes/:?]@sahiliamsso I suspect we have something wrong in setup. Would you be so kind to re-generate keys as shown in message below ? If everything works then it’s something with setup and we should ask @mbaser help us.
Problem was that during deletion identification for enc use it drops sig use. Fixed version is in maven already. Can you give it a try?
1. cd /etc/certs
2. wget https://ox.gluu.org/maven/org/gluu/oxauth-client/4.0.0-SNAPSHOT/oxauth-client-4.0.0-SNAPSHOT-jar-with-dependencies.jar
3. /opt/jre/bin/java -Dlog4j.defaultInitOverride=true -cp oxauth-client-4.0.0-SNAPSHOT-jar-with-dependencies.jarorg.gluu.oxauth.util.KeyGenerator -keystore oxauth-keys.jks -keypasswd KHw8a8rFD6pG -sig_keys RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512 RSA1_5 RSA-OAEP -enc_keys RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512 RSA1_5 RSA-OAEP -dnname "CN=oxAuth CA Certificates" -expiration 365 > oxauth-keys.json
4. updated oxAuthConWebKeys
5. restart oxauth and try whether your scenario works@sahiliamsso if re-generation will not help then give me your :
Describe the issue
response_type=token+id_token returns blank page and "Supplied key (null) is not a RSAPrivateKey instance" error in oxauth logs
Steps To Reproduce
Register openid client to use token and id_token and access URL https://{host}/oxauth/restv1/authorize?scope=openid+profile+email&response_type=token+id_token&session_id=5e8a568f-6be1-4e84-96f6-3d9f69d2ed71&redirect_uri=https%3A%2F%2Flocalhost%2Fopenid%2Fjavascript-sample%2Flogin-callback.html&state=1ua27zh&nonce=1brf5ah&client_id={client_id}
Expected behavior
User should redirect to redirect_url
Actual behavior
Blank page appears
Desktop (please complete the following information):
Oxauth logs