search

OpenIdentityPlatform / OpenAM

OpenAM is an open access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security.
https://www.openidentityplatform.org/openam
Other
757 stars 149 forks source link

OAuth2 JWT Bearer Client Profile Flow fails with SHA256withRSA #731

Closed dairoca90 closed 5 months ago

dairoca90 commented 5 months ago

Describe the bug Im trying to implement the OAuth2 JWT Bearer Profile but fails when i try to get the access token, i try switching between java 8 and 11 but the result is the same, also both of them have the Algorithm SHA256withRSA so i dont know if im missing something.

To Reproduce Steps to reproduce the behavior:

  1. follow sample https://github.com/ForgeRock/jwt-bearer-client/tree/master

Expected behavior Get Access Token

Additional context OAuth2Provider:03/21/2024 03:49:17:894 p.m. GMT-06:00: Thread[http-nio-18080-exec-4,5,main]: TransactionId[a08e3dd1-7a13-4b1b-b246-a0c4554474a3-6383] WARNING: Unhandled exception: org.restlet.resource.ResourceException: Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request org.restlet.resource.ResourceException: Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request at org.restlet.resource.ServerResource.doHandle(ServerResource.java:527) at org.restlet.resource.ServerResource.post(ServerResource.java:1341) at org.restlet.resource.ServerResource.doHandle(ServerResource.java:606) at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:662) at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:348) at org.restlet.resource.ServerResource.handle(ServerResource.java:1020) at org.restlet.resource.Finder.handle(Finder.java:236) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Router.doHandle(Router.java:422) at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:100) at org.restlet.routing.Router.handle(Router.java:641) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202) at org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:77) at org.restlet.Application.handle(Application.java:385) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Router.doHandle(Router.java:422) at org.restlet.routing.Router.handle(Router.java:641) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Router.doHandle(Router.java:422) at org.restlet.routing.Router.handle(Router.java:641) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202) at org.restlet.Component.handle(Component.java:408) at org.restlet.Server.handle(Server.java:507) at org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63) at org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143) at org.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:1117) at org.forgerock.openam.rest.RestEndpointServlet.service(RestEndpointServlet.java:130) at javax.servlet.http.HttpServlet.service(HttpServlet.java:764) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at org.forgerock.openam.cors.CORSFilter.doFilter(CORSFilter.java:65) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:86) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:359) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:889) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: org.forgerock.json.jose.exceptions.JwsSigningException: Unsupported Signing Algorithm, SHA256withRSA at org.forgerock.json.jose.jws.handlers.HmacSigningHandler.signWithHMAC(HmacSigningHandler.java:81) at org.forgerock.json.jose.jws.handlers.HmacSigningHandler.verify(HmacSigningHandler.java:104) at org.forgerock.json.jose.jws.SignedJwt.verify(SignedJwt.java:182) at org.forgerock.jaspi.modules.openid.resolvers.SharedSecretOpenIdResolverImpl.verifySignature(SharedSecretOpenIdResolverImpl.java:75) at org.forgerock.jaspi.modules.openid.resolvers.SharedSecretOpenIdResolverImpl.validateIdentity(SharedSecretOpenIdResolverImpl.java:65) at org.forgerock.openam.oauth2.OpenAMClientRegistration.verifyJwtBySharedSecret(OpenAMClientRegistration.java:676) at org.forgerock.openam.oauth2.OpenAMClientRegistration.verifyJwtIdentity(OpenAMClientRegistration.java:650) at org.forgerock.openam.oauth2.ClientCredentialsReader.verifyJwtBearer(ClientCredentialsReader.java:135) at org.forgerock.openam.oauth2.ClientCredentialsReader.extractCredentials(ClientCredentialsReader.java:79) at org.forgerock.oauth2.core.ClientAuthenticator.authenticate(ClientAuthenticator.java:100) at org.forgerock.oauth2.core.GrantTypeHandler.handle(GrantTypeHandler.java:81) at org.forgerock.oauth2.core.AccessTokenService.requestAccessToken(AccessTokenService.java:116) at org.forgerock.oauth2.restlet.TokenEndpointResource.token(TokenEndpointResource.java:87) at jdk.internal.reflect.GeneratedMethodAccessor110.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.restlet.resource.ServerResource.doHandle(ServerResource.java:508) ... 82 more Caused by: java.security.NoSuchAlgorithmException: Algorithm SHA256withRSA not available at java.base/javax.crypto.Mac.getInstance(Mac.java:191) at org.forgerock.json.jose.jws.handlers.HmacSigningHandler.signWithHMAC(HmacSigningHandler.java:76) ... 98 more

maximthomas commented 5 months ago
Hi @dairoca90. Please, make sure your OAuth 2.0/OpenID Connect Client client settings are: Setting Value
Token Endpoint Authentication Method: private_key_jwt
Client JWT Bearer Public Key: <a key from the example>
ID Token Signing Algorithm: RS256
Public key selector: X509

and test the solution again