c00crane
commented
3 years ago I have another related issue that I'm seeing.
I have my userinfo endpoint returning a JWE that uses different signing and encrypting algorithms than what is in the JWE that the token endpoint returns and what the RP config expects.
I see the following in the trace:
[8/20/21, 10:12:28:859 CDT] 0000003c id=00000000 .ibm.ws.security.openidconnect.clients.common.UserInfoHelper 3 Error extracting jwt claims from web response: CWWKS6056E: The [SignRS256EncryptRS256] JWT consumer encountered an error while extracting the JSON Web Signature (JWS) payload from the JSON Web Encryption (JWE) token. org.jose4j.lang.JoseException: javax.crypto.AEADBadTagException: Tag mismatch!
I don't see anything in the messages.log - we should probably record something there too.
I have my userinfo endpoint returning a JWS that uses a different signature algorithm than the JWS returned by my token endpoint. The runtime detects the problem, but, the message that it issues is a bit mis-leading. It states:
CWWKS1761E: Validation failed for the ID token requested by the [client01] due to a mismatch of signing algorithms between the OpenID Connect client [RS256] and the OpenID Connect provider [HS256].The ID Token isn't the problem. Can we update what message is returned?I'm not sure what other error conditions may result is misleading messages.