search

finalist / liferay-oidc-plugin

Plugin for Liferay, enabling OpenID Connect authentication
Apache License 2.0
21 stars 31 forks source link

The token was not valid: -- JWT -- #39

Closed priawadi closed 5 years ago

priawadi commented 5 years ago

Hi, I'm using Liferay Portal 6.2 CE GA1 and already followed all the documentation, but after successfully logging in with openID it's still shown Liferay Login Page and displays error below: 

WARN  [http-bio-443-exec-2][Liferay62Adapter:46] The token was not valid: -- JWT --
Raw String: eyJhbGciOiJSUzI1NiIsIng1dCI6IlJidlZKWDB0aEZ6TmxucHF4MUpZa2dFeEZMQSIsImtpZCI6IlJidlZKWDB0aEZ6TmxucHF4MUpZa2dFeEZMQSIsInR5cCI6IkpXVCJ9.eyJpZHAiOiJTZWN1cmVBdXRoOSIsImF1dGhfdGltZSI6MTU1MDIyMjU2MywiZGlzcGxheW5hbWUiOiJhZG1pbmxpZmVyYXkiLCJtYWlsIjoiYWRtaW5saWZlcmF5QGxlbWRpa2xhdC5wb2xyaS5nby5pZCIsImNuIjoiYWRtaW5saWZlcmF5Iiwic24iOiJsaWZlcmF5Iiwic3ViIjoiYWRtaW5saWZlcmF5IiwianRpIjoiY2Y2YTNjYjViMTNlNDMzODk1MzNiMmUyYmUyNTA2ZTgiLCJhdF9oYXNoIjoiZXUzdXJJdjVfN1V6eWRTR2RaeXdRUSIsImlhdCI6MTU1MDQ2MTAxNywiaXNzIjoiaHR0cHM6Ly9zZWN1cmVhdXRoMDEubGVtZGlrbGF0LnBvbHJpLmdvLmlkL1NlY3VyZUF1dGg5LyIsImF1ZCI6IjgxZGE2Y2IxMWM2NTQ1MTA4ZmJmNTFhYjY5MjYzNjkyIiwiZXhwIjoxNTUwNDY0NjE3LCJuYmYiOjE1NTA0NjEwMTd9.0n5As9fgGhrUtmdyzHFAZga6yt9U9IMxo0iVi3hCoBacgb9DH-WI-F8Rx23EOIBTqb3XPs6NB2599aYQHOLqEiRaKdTTRToHMmP9Ktd_k-lQt8lG25mBNVJakt33MflvdlI27PQtrjq4ZdMeoEtndxnoe9e0z3Kx_AhgtyWryCeWaI4p-Yj9WoPTdZVwD8XzANH4SefgnQvVbNgE5ZnhTcHKwX4LqoQu1L22HR9skzZSR7y_GS6U-UQ_7D0zirsF1WmBRHQAhNgor8AYKqLxfcm4U8H2319YVM0eWiFfSrqKvoekGakH5R-euYgW9c8l-NMhIYXQbG2Hr-jzfswLWQ
Header: {"typ": "JWT", "alg": "RS256", "cty": "null" , "x5t": "RbvVJX0thFzNlnpqx1JYkgExFLA", "kid": "RbvVJX0thFzNlnpqx1JYkgExFLA"}
Claims Set: {"iss": "https://secureauth01.lemdiklat.polri.go.id/SecureAuth9/", "sub": "adminliferay", "aud": ["81da6cb11c6545108fbf51ab69263692"], "exp": 1550464617, "nbf": "1550461017", "iat": 1550461017, "jti": "cf6a3cb5b13e43389533b2e2be2506e8", "typ": "null" }
Signature: 0n5As9fgGhrUtmdyzHFAZga6yt9U9IMxo0iVi3hCoBacgb9DH-WI-F8Rx23EOIBTqb3XPs6NB2599aYQHOLqEiRaKdTTRToHMmP9Ktd_k-lQt8lG25mBNVJakt33MflvdlI27PQtrjq4ZdMeoEtndxnoe9e0z3Kx_AhgtyWryCeWaI4p-Yj9WoPTdZVwD8XzANH4SefgnQvVbNgE5ZnhTcHKwX4LqoQu1L22HR9skzZSR7y_GS6U-UQ_7D0zirsF1WmBRHQAhNgor8AYKqLxfcm4U8H2319YVM0eWiFfSrqKvoekGakH5R-euYgW9c8l-NMhIYXQbG2Hr-jzfswLWQ
---------

Any solutions?

Thanks in advance. PWZ

gvanderploeg commented 5 years ago

If you analyze the raw token for example on the website https://jwt.io/, you'll find that the signature is invalid. So either it was signed invalid already, or the signature is broken somewhere along the way to the Liferay server (cannot fathom how) I'd suggest to debug the JWT generation part on the Identity Provider side to verify that signatures are generated correctly there.

On Mon, 18 Feb 2019 at 05:37, Ozi Priawadi notifications@github.com wrote:

Hi, I'm using Liferay Portal 6.2 CE GA1 and already followed all the documentation, but after successfully logging in with openID it's still shown Liferay Login Page and displays error below:

WARN [http-bio-443-exec-2][Liferay62Adapter:46] The token was not valid: -- JWT -- Raw String: eyJhbGciOiJSUzI1NiIsIng1dCI6IlJidlZKWDB0aEZ6TmxucHF4MUpZa2dFeEZMQSIsImtpZCI6IlJidlZKWDB0aEZ6TmxucHF4MUpZa2dFeEZMQSIsInR5cCI6IkpXVCJ9.eyJpZHAiOiJTZWN1cmVBdXRoOSIsImF1dGhfdGltZSI6MTU1MDIyMjU2MywiZGlzcGxheW5hbWUiOiJhZG1pbmxpZmVyYXkiLCJtYWlsIjoiYWRtaW5saWZlcmF5QGxlbWRpa2xhdC5wb2xyaS5nby5pZCIsImNuIjoiYWRtaW5saWZlcmF5Iiwic24iOiJsaWZlcmF5Iiwic3ViIjoiYWRtaW5saWZlcmF5IiwianRpIjoiY2Y2YTNjYjViMTNlNDMzODk1MzNiMmUyYmUyNTA2ZTgiLCJhdF9oYXNoIjoiZXUzdXJJdjVfN1V6eWRTR2RaeXdRUSIsImlhdCI6MTU1MDQ2MTAxNywiaXNzIjoiaHR0cHM6Ly9zZWN1cmVhdXRoMDEubGVtZGlrbGF0LnBvbHJpLmdvLmlkL1NlY3VyZUF1dGg5LyIsImF1ZCI6IjgxZGE2Y2IxMWM2NTQ1MTA4ZmJmNTFhYjY5MjYzNjkyIiwiZXhwIjoxNTUwNDY0NjE3LCJuYmYiOjE1NTA0NjEwMTd9.0n5As9fgGhrUtmdyzHFAZga6yt9U9IMxo0iVi3hCoBacgb9DH-WI-F8Rx23EOIBTqb3XPs6NB2599aYQHOLqEiRaKdTTRToHMmP9Ktd_k-lQt8lG25mBNVJakt33MflvdlI27PQtrjq4ZdMeoEtndxnoe9e0z3Kx_AhgtyWryCeWaI4p-Yj9WoPTdZVwD8XzANH4SefgnQvVbNgE5ZnhTcHKwX4LqoQu1L22HR9skzZSR7y_GS6U-UQ_7D0zirsF1WmBRHQAhNgor8AYKqLxfcm4U8H2319YVM0eWiFfSrqKvoekGakH5R-euYgW9c8l-NMhIYXQbG2Hr-jzfswLWQ Header: {"typ": "JWT", "alg": "RS256", "cty": "null" , "x5t": "RbvVJX0thFzNlnpqx1JYkgExFLA", "kid": "RbvVJX0thFzNlnpqx1JYkgExFLA"} Claims Set: {"iss": "https://secureauth01.lemdiklat.polri.go.id/SecureAuth9/", "sub": "adminliferay", "aud": ["81da6cb11c6545108fbf51ab69263692"], "exp": 1550464617, "nbf": "1550461017", "iat": 1550461017, "jti": "cf6a3cb5b13e43389533b2e2be2506e8", "typ": "null" } Signature: 0n5As9fgGhrUtmdyzHFAZga6yt9U9IMxo0iVi3hCoBacgb9DH-WI-F8Rx23EOIBTqb3XPs6NB2599aYQHOLqEiRaKdTTRToHMmP9Ktd_k-lQt8lG25mBNVJakt33MflvdlI27PQtrjq4ZdMeoEtndxnoe9e0z3Kx_AhgtyWryCeWaI4p-Yj9WoPTdZVwD8XzANH4SefgnQvVbNgE5ZnhTcHKwX4LqoQu1L22HR9skzZSR7y_GS6U-UQ_7D0zirsF1WmBRHQAhNgor8AYKqLxfcm4U8H2319YVM0eWiFfSrqKvoekGakH5R-euYgW9c8l-NMhIYXQbG2Hr-jzfswLWQ

Any solutions?

Thanks in advance. PWZ

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/finalist/liferay-oidc-plugin/issues/39, or mute the thread https://github.com/notifications/unsubscribe-auth/ABG69tMlKSRt82vi9659isBDZFlu6L5Oks5vOi3vgaJpZM4bAE4V .

-- http://www.finalist.nl

priawadi commented 5 years ago

If you analyze the raw token for example on the website https://jwt.io/, you'll find that the signature is invalid. So either it was signed invalid already, or the signature is broken somewhere along the way to the Liferay server (cannot fathom how) I'd suggest to debug the JWT generation part on the Identity Provider side to verify that signatures are generated correctly there. On Mon, 18 Feb 2019 at 05:37, Ozi Priawadi @.***> wrote: Hi, I'm using Liferay Portal 6.2 CE GA1 auth/ABG69tMlKSRt82vi9659isBDZFlu6L5Oks5vOi3vgaJpZM4bAE4V> . -- http://www.finalist.nl

It because signing cert being used on SecureAuth (Identitiy Provider) is different than what is being used on liferay or what? Our Identity Provider using RSA SHA256 as a Signing Algorithm. Anyway, where is the right location Signing cert who defined on Liferay? I wonder if it's because Liferay doesn't support that kind of Signing Algorithm.

smitopher commented 5 years ago

I am also getting this issue I'm running 6.2 CE GA6 My OpenID Connect provider is Keycloak

My properties are openidconnect.enableOpenIDConnect=true openidconnect.token-location=https:///auth/realms/CMFIRST/protocol/openid-connect/token openidconnect.authorization-location=https:///auth/realms/CMFIRST/protocol/openid-connect/auth openidconnect.profile-uri=https:///auth/realms/CMFIRST/protocol/openid-connect/userinfo openidconnect.issuer=https:///auth/realms/CMFIRST/protocol/openid-connect/certs openidconnect.client-id=Portal openidconnect.secret= openidconnect.scope=openid profile email

So I'm guessing that the issuer property is where things go wrong

For the issuer property, I use a keycloak endpoint. Certificate Endpoint /realms/{realm-name}/protocol/openid-connect/certs The certificate endpoint returns the public keys enabled by the realm, encoded as a JSON Web Key (JWK). Depending on the realm settings there can be one or more keys enabled for verifying tokens. For more information see the Server Administration Guide and the JSON Web Key specification.

Is the fact that I have 3 different public keys a problem? AES, HS256 and RS256

smitopher commented 5 years ago

A keycloak resource gave me an issuer property to use openidconnect.issuer=https://-mykcserverand port-/auth/realms/CMFIRST My instance is fixed

gvanderploeg commented 5 years ago

The Issuer identifier (iss in the access token) is only an identifier, it has no value in terms of certificates, keys, or signatures. See https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier and all other mentions of Issuer in this spec.

The validity of the JWT is NOT related to anything on the Liferay side: purely standalone the JWT should be valid, and there is no out of band certificate/key exchange between Liferay and the Identity Provider. This is not specific to this implementation, but inherited from the OpenID Connect specification: all messages are self contained, plain text, but transported over HTTPS for encryption.

gvanderploeg commented 5 years ago

It because signing cert being used on SecureAuth (Identitiy Provider) is different than what is being used on liferay or what? Our Identity Provider using RSA SHA256 as a Signing Algorithm. Anyway, where is the right location Signing cert who defined on Liferay? I wonder if it's because Liferay doesn't support that kind of Signing Algorithm.

@priawadi like I stated in the above comment, there is no signing/validation configuration on Liferay side of things: the JWT is self contained and should be valid on its own, regardless of Liferay configuration. In the end, the signature is validated on the Liferay side, according to the spec https://openid.net/specs/openid-connect-core-1_0.html#JWS , but there is no configuration dependency: if your Identify Provider's signature configuration is following this JWS spec, there should be no problem.

rambocloack commented 5 years ago

Je suis absent(e) du bureau jusqu'au 28/02/2019

Bonjour,

Je suis absent du 20/02/2019 au 28/02/2019. Je répondrais à votre message dès mon retour. Pour toutes demandes merci de bien vouloir vous adresser au Support-Technique Isocel par mail à l'adresse suivante: support-technique.isocel@isocel.info ou par téléphone au 0524549961.

Cordialement Richard AMBAUD

Remarque : ceci est une réponse automatique à votre message "Re: [finalist/liferay-oidc-plugin] The token was not valid: -- JWT -- (#39)" envoyé le 20/02/2019 11:06:21.

C'est la seule notification que vous recevrez pendant l'absence de cette personne.

priawadi commented 5 years ago

Closed.

Registering certified certificate to SecureAuth server solved this issue.