search

SAP / cloud-security-services-integration-library

Integration libraries and samples for authenticating users and clients bound to XSUAA authentication and authorization service or Identity authentication service.
Apache License 2.0
151 stars 135 forks source link

401: Validator that caused the failed validation: com.sap.cloud.security.token.validation.validators.XsuaaJwtSignatureValidator #1454

Closed codepari closed 8 months ago

codepari commented 9 months ago

We are migrating our apps from spring-xsuaa to spring-security by following the guides published here:

Spring Security guide: https://github.com/SAP/cloud-security-services-integration-library/tree/main/spring-security

Migration guide: https://github.com/SAP/cloud-security-services-integration-library/blob/main/spring-security/Migration_SpringXsuaaProjects.md

Feature branch: https://github.tools.sap/LBN/lbn-freightOrdersForSettlement/tree/Spring3Java17_V2/lbn-freightOrdersForSettlement-service

2024-02-09 09:16:57,691 WARN  [http-nio-8086-exec-7] - [com.sap.cloud.security.token.validation.ValidationResults] [] - Signature of Jwt Token is not valid: the identity provided by the JSON Web Token Key can not be trusted (Signature: nPvLTCww8MDwn5wFoCEwC264tMyMzbnsPO8o8AvOmzXbRxRj75AUkQpzI2a6wzZHgqpyvCmEnzfdQYZDRVYBylwqEX5sX0AaCB4vDPpWWliKlyeyCaIx401R00VuNyqegp_UWfImY4NJDVhKVCOPr2ZuAa8ZxGz1rKbizkEaIsEdxEFHNTdq7NTNUAxLh6tR_g5wDn_NNozeIvtB_BTX_P83sZABw3TD6h26pG52KnYgwzqsUUxH8ycSpkaC0MSKb0gSKKXNSmrGesGjNciaTNYy5to-C6r8j9KWsmr3xvYtlR0XvMLpiOMaMh0JrngoDu-PbrBW2pwEIWNquRyHWQ).
2024-02-09 09:16:57,691 DEBUG [http-nio-8086-exec-7] - [com.sap.cloud.security.token.validation.CombiningValidator] [] - Validator that caused the failed validation: com.sap.cloud.security.token.validation.validators.XsuaaJwtSignatureValidator
2024-02-09 09:16:57,691 DEBUG [http-nio-8086-exec-7] - [com.sap.cloud.security.token.validation.CombiningValidator] [] - Object of type com.sap.cloud.security.token.XsuaaToken that caused the failed validation: 
Jwt header
    {"alg":"RS256","jku":"https://lbn-e2e-carrier01.authentication.sap.hana.ondemand.com/token_keys","kid":"key-id-1","typ":"JWT","jid": "LMXa0ZyqMstuE0fgC0toT0IPlPy9HyBvoLXc84CiTcs="}

=========== We got some lead, the issue was occurring due to the size of the JWT token.

JwtSignatureValidator => Base64.getUrlDecoder().decode(signature)

sun.security.jca.JCAUtil.RSAPadding => BadPaddingException was coming Please let us know how to resolve this??

finkmanAtSap commented 9 months ago

Hi, how did you get to this lead? Did you see this error message in your logs?

I assume if Base64.getUrlDecoder().decode(signature) throws a BadPaddingException, this would be the case.

Did you try to validate the signature of the token in a different tool, e.g. https://jwt.io/? How did you get this token? Is it a real XSUAA token issued when logging in? Do you see this message when you enable debug logging for our library?

finkmanAtSap commented 8 months ago

Closing this as Github Issue section is no longer maintained.