Closed aonsystematic closed 2 years ago
nigtrifork
commented
2 years ago Hi @aonsystematic
This is a request for an additional client for the test environment, correct?
We are experiencing some issues with our deployment pipeline, but we will add this as soon as possible.
aonsystematic
commented
2 years ago yes this is so that Aalborg can test by themselves on one of their test environments. The previous one I've uploaded was for testing during development
nigtrifork
commented
2 years ago Sure, the client_id will be cura_aalborg_udd
I will let you know when it is available
nigtrifork
commented
2 years ago Client is now available on the test environment
aonsystematic
commented
2 years ago when using this, we get an error code 400, with response {"error":"invalid_client","error_description":"Unable to load public key"} from the gateway keycloak, can you double check that it has been added to the environment and that there is no typo in the client id
nigtrifork
commented
2 years ago @aonsystematic this is most likely caused by giving an invalid kid in the client JWT, when I calculate the kid for this public key I get -s-eGKNvqGfBPC8IoymCksjt5Sak1M-Sd-pl8dM9ptQ
aonsystematic
commented
2 years ago I just verified the request body, and the kid is the same as the one you have posted, so that is not the issue. The request was sent on 14:00:05 on friday 20/5. Perhaps you have logging that is more descriptive?
EDIT: turns out there were some mix and matching, with client_ids, which I just found. However we know get an even less descriptive error: {"error":"unknown_error"} with code 500 from a request at 10:02:04 today
nigtrifork
commented
2 years ago @aonsystematic I see The input bytes to the digest operation are null. This may be due to a problem with the Reference URI or its Transforms. in the logs. This most likely has something to do with the Assertion from Kombit
aonsystematic
commented
2 years ago so is that an issue with our service agreement? It still works when we use our other client.
nigtrifork
commented
2 years ago That's hard to say. You can compare your assertion to this assertion (signature redacted), to see if something seems off:
<?xml version="1.0" encoding="UTF-8"?>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7df071e6-b49f-4a9f-a0a3-921cb90eec5e"
IssueInstant="2022-05-23T08:06:15.361Z" Version="2.0">
<Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://saml.adgangsstyring.eksterntest-stoettesystemerne.dk
</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_7df071e6-b49f-4a9f-a0a3-921cb90eec5e">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>PlAQFv5vFM/F07diWiGGr1OgJB/G2iaHYj3R8B1Xsgs=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
REDACTED
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIIGHTCCBQWgAwIBAgIEXgiTCTANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MR0wGwYDVQQDDBRUUlVTVDI0MDggT0NFUyBDQSBJVjAeFw0yMTA2MDgwNzA3MDNaFw0yNDA2MDgwNzA2MzVaMIGQMQswCQYDVQQGEwJESzEjMCEGA1UECgwaS09NQklUIEEvUyAvLyBDVlI6MTk0MzUwNzUxXDAgBgNVBAUTGUNWUjoxOTQzNTA3NS1GSUQ6NjA0OTI3ODgwOAYDVQQDDDF0ZXN0LWVrc3Rlcm4tYWRnYW5nc3N0eXJpbmcgKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnEbT2230TEC+ZnAgOWwAaBtoSjOszdaMBxcl1WCCfv8Rc5NFMp1FT68rexN9/k1GcTNWREPLSjEh9RUtQ5QHrEDUYDv3g/lL2YSKaVuY7YiqMn+Ei81tgKWO9N5P1UNdeLW0+5DjNSO++CC33B0AElXXVI9YhQFnSR6qTZsYPQnsD/J6FA41RMyizfk5MFmFurYn06nw9CkW3CtY5T3+FU4q55gIOiwSGplHm5emeFEyxMkXtQBaoRXpgOeSqJJ1r2GYkK3gk/1DGk/s2CKc1wPlhhU9vJOV0cNyyJ/wvUscWjjrgT5UgLX2OK3lZUiQ72W7DMgExOcKTxbvKjP+YwIDAQABo4ICzDCCAsgwDgYDVR0PAQH/BAQDAgO4MIGJBggrBgEFBQcBAQR9MHswNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwLmljYTA0LnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEIGCCsGAQUFBzAChjZodHRwOi8vZi5haWEuaWNhMDQudHJ1c3QyNDA4LmNvbS9vY2VzLWlzc3VpbmcwNC1jYS5jZXIwggFDBgNVHSAEggE6MIIBNjCCATIGCiqBUIEpAQEBBAMwggEiMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LnRydXN0MjQwOC5jb20vcmVwb3NpdG9yeTCB7gYIKwYBBQUHAgIwgeEwEBYJVFJVU1QyNDA4MAMCAQEagcxGb3IgYW52ZW5kZWxzZSBhZiBjZXJ0aWZpa2F0ZXQgZ+ZsZGVyIE9DRVMgdmlsa+VyLCBDUFMgb2cgT0NFUyBDUCwgZGVyIGthbiBoZW50ZXMgZnJhIHd3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkuIEJlbeZyaywgYXQgVFJVU1QyNDA4IGVmdGVyIHZpbGvlcmVuZSBoYXIgZXQgYmVncuZuc2V0IGFuc3ZhciBpZnQuIHByb2Zlc3Npb25lbGxlIHBhcnRlci4wgZcGA1UdHwSBjzCBjDAuoCygKoYoaHR0cDovL2NybC5pY2EwNC50cnVzdDI0MDguY29tL2ljYTA0LmNybDBaoFigVqRUMFIxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxHTAbBgNVBAMMFFRSVVNUMjQwOCBPQ0VTIENBIElWMRAwDgYDVQQDDAdDUkwzMDgzMB8GA1UdIwQYMBaAFFy7dWIWMpmqNqC4mvtvpwxf8ArVMB0GA1UdDgQWBBR2bXVUcWt5i4zO9J9kpBrq5fJufDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBQ015R55ZZ+83w+eR/CNfZx9ykOKHqf70bOpM9yu7UxG2teAAE+4xA8Zt/F/SPbtLbxAZLkSBevmX4oVVYtNn6C0HrS8V/Gt65rS7VxEI/vBttD0EOOvwxJPW61wM4f5EXY84XZPzL9UY3ErjhDvz3W6trxYNp5wS1V4x85SI8WCesNXjryMHphPakK252IOTXvuybGNjyVwQL3DGI9i/DcOxzIPi0CaBlBEVUTvggR9E7v4P/YpxvQyrerqtEfy8PIJ/a2lysCyoMeeg0TTq5A51BK25SlWzo0muyJ7tbKuRLkPfGtuSq8uGfBBVyouNl4/nH0QDoU9mHDP17gSZZ
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
SERIALNUMBER=CVR:20921897-FID:16356883 + CN=klg_demo_anvendersystem (funktionscertifikat), O=TRIFORK A/S //
CVR:20921897, C=DK
</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<SubjectConfirmationData xmlns:a="http://www.w3.org/2001/XMLSchema-instance"
NotBefore="2022-05-23T08:06:15.361Z" NotOnOrAfter="2022-05-23T16:06:15.361Z"
Recipient="http://ehealth.sundhed.dk/service/CareGateway/1"
a:type="KeyInfoConfirmationDataType">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
MIIGJDCCBQygAwIBAgIEX6FtNzANBgkqhkiG9w0BAQsFADBJMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSYwJAYDVQQDDB1UUlVTVDI0MDggU3lzdGVtdGVzdCBYWFhJViBDQTAeFw0yMjAxMTgxMTMzMjhaFw0yNTAxMTgxMTMyNDNaMIGNMQswCQYDVQQGEwJESzEkMCIGA1UECgwbVFJJRk9SSyBBL1MgLy8gQ1ZSOjIwOTIxODk3MVgwIAYDVQQFExlDVlI6MjA5MjE4OTctRklEOjE2MzU2ODgzMDQGA1UEAwwta2xnX2RlbW9fYW52ZW5kZXJzeXN0ZW0gKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApigrkAudmmzfafoDlkWLgVVKykxJqVYnPSB0XyezfszKc6fEi8n3W0pYBj+jCeOiUDPAnw8B/IUvUNlL0WYxOlNKmyoQyDpMllibNNQJXwziG8EsyaCmrmaqgZEM8ai6NbPgKyJZ7w45oN4s25ud53ByR0P3caihr6I7O4kNd8H7ndnJaBSQ4xY1Pgq6zzrgLc0FpSKwCbpTGUic2R346vpfeu0MhnpNbCATvxlcxui/zsnS2MymcccPNgze/J3oKXBmlRYsquYhrxAz1AM6e/FmDiHWbCXj1T3XFZ5HlNjM3X1IEGv59pDrjw1XrjCRQpM0S+3ybP5dBzVbdLbCWwIDAQABo4ICzTCCAskwDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDM0LnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vZi5haWEuc3lzdGVtdGVzdDM0LnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDM0LWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYEAzCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMy4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMy4wga0GA1UdHwSBpTCBojA8oDqgOIY2aHR0cDovL2NybC5zeXN0ZW10ZXN0MzQudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MzQuY3JsMGKgYKBepFwwWjELMAkGA1UEBhMCREsxEjAQBgNVBAoMCVRSVVNUMjQwODEmMCQGA1UEAwwdVFJVU1QyNDA4IFN5c3RlbXRlc3QgWFhYSVYgQ0ExDzANBgNVBAMMBkNSTDM3NDAfBgNVHSMEGDAWgBTNbGiXOXIZpDWrZOr0EaOBh/hpOzAdBgNVHQ4EFgQUeB4eWR1NqwJeJuWgdVoJEf9j+rEwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAYKhnkEHiVl0k7qnwsSjVUubllvvYUcG5bg6vTqwG3Yw+/sHLOUy11h9RBco67a9VBy11ZG0U1Rk9IQrTjq3qu9rQaUNieisvUVluuJ3KN/cvBwyAHO4UnayAwmdqGPUMFetyMUlo5uMPx/sjuJoXMkUXfWXk2HUwNaXjkqt5q6zm5I+xg+pnNYBvsndV/igh6zuiygCl68q3AL1Zt56F5hUxWW5W1nd5EvjcTPZ/O2zoX6vFPlaec4LjD9TmVZIU8z/JqFWHM0kM6adIRmXKO2VK4SlzL8joJ4GmevkwDJSD/Wctd8dxmOBf0Y1b2Zrd6OEEwXFsrFpFVGNvY4DfKQ==
</X509Certificate>
</X509Data>
</KeyInfo>
</SubjectConfirmationData>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2022-05-23T08:06:15.361Z" NotOnOrAfter="2022-05-23T16:06:15.361Z">
<AudienceRestriction>
<Audience>http://ehealth.sundhed.dk/service/CareGateway/1</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="dk:gov:saml:attribute:CvrNumberIdentifier"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>29189366</AttributeValue>
</Attribute>
<Attribute Name="dk:gov:saml:attribute:AssuranceLevel"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>3</AttributeValue>
</Attribute>
<Attribute Name="dk:gov:saml:attribute:SpecVer" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>DK-SAML-2.0</AttributeValue>
</Attribute>
<Attribute Name="dk:gov:saml:attribute:KombitSpecVer"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>1.0</AttributeValue>
</Attribute>
<Attribute Name="dk:gov:saml:attribute:Privileges_intermediate"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48YnBwOlByaXZpbGVnZUxpc3QgeG1sbnM6YnBwPSJodHRwOi8vaXRzdC5kay9vaW9zYW1sL2Jhc2ljX3ByaXZpbGVnZV9wcm9maWxlIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48UHJpdmlsZWdlR3JvdXAgU2NvcGU9InVybjpkazpnb3Y6c2FtbDpjdnJOdW1iZXJJZGVudGlmaWVyOjI5MTg5MzY2Ij48UHJpdmlsZWdlPmh0dHA6Ly9laGVhbHRoLnN1bmRoZWQuZGsvcm9sZXMvc2VydmljZXN5c3RlbXJvbGUvY2FyZV9kZWxpdmVyeV9yZXBvcnRlcl9zeXN0ZW0vMTwvUHJpdmlsZWdlPjwvUHJpdmlsZWdlR3JvdXA+PC9icHA6UHJpdmlsZWdlTGlzdD4=
</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2022-05-23T08:06:15.361Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
I cannot find any notable differences from our assertion, maybe there is something you can see that I cannot?
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_cc63a2c7-86a2-4927-aa04-72f14e90dc3d" IssueInstant="2022-05-23T08:02:22.134Z" Version="2.0">
<Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://saml.adgangsstyring.eksterntest-stoettesystemerne.dk</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_cc63a2c7-86a2-4927-aa04-72f14e90dc3d">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>fPRzcc/NMKNh3dPwTw++zcG18DZIeC+v684Eqz4hZLE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>REDACTED</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIGHTCCBQWgAwIBAgIEXgiTCTANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MR0wGwYDVQQDDBRUUlVTVDI0MDggT0NFUyBDQSBJVjAeFw0yMTA2MDgwNzA3MDNaFw0yNDA2MDgwNzA2MzVaMIGQMQswCQYDVQQGEwJESzEjMCEGA1UECgwaS09NQklUIEEvUyAvLyBDVlI6MTk0MzUwNzUxXDAgBgNVBAUTGUNWUjoxOTQzNTA3NS1GSUQ6NjA0OTI3ODgwOAYDVQQDDDF0ZXN0LWVrc3Rlcm4tYWRnYW5nc3N0eXJpbmcgKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnEbT2230TEC+ZnAgOWwAaBtoSjOszdaMBxcl1WCCfv8Rc5NFMp1FT68rexN9/k1GcTNWREPLSjEh9RUtQ5QHrEDUYDv3g/lL2YSKaVuY7YiqMn+Ei81tgKWO9N5P1UNdeLW0+5DjNSO++CC33B0AElXXVI9YhQFnSR6qTZsYPQnsD/J6FA41RMyizfk5MFmFurYn06nw9CkW3CtY5T3+FU4q55gIOiwSGplHm5emeFEyxMkXtQBaoRXpgOeSqJJ1r2GYkK3gk/1DGk/s2CKc1wPlhhU9vJOV0cNyyJ/wvUscWjjrgT5UgLX2OK3lZUiQ72W7DMgExOcKTxbvKjP+YwIDAQABo4ICzDCCAsgwDgYDVR0PAQH/BAQDAgO4MIGJBggrBgEFBQcBAQR9MHswNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwLmljYTA0LnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEIGCCsGAQUFBzAChjZodHRwOi8vZi5haWEuaWNhMDQudHJ1c3QyNDA4LmNvbS9vY2VzLWlzc3VpbmcwNC1jYS5jZXIwggFDBgNVHSAEggE6MIIBNjCCATIGCiqBUIEpAQEBBAMwggEiMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LnRydXN0MjQwOC5jb20vcmVwb3NpdG9yeTCB7gYIKwYBBQUHAgIwgeEwEBYJVFJVU1QyNDA4MAMCAQEagcxGb3IgYW52ZW5kZWxzZSBhZiBjZXJ0aWZpa2F0ZXQgZ+ZsZGVyIE9DRVMgdmlsa+VyLCBDUFMgb2cgT0NFUyBDUCwgZGVyIGthbiBoZW50ZXMgZnJhIHd3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkuIEJlbeZyaywgYXQgVFJVU1QyNDA4IGVmdGVyIHZpbGvlcmVuZSBoYXIgZXQgYmVncuZuc2V0IGFuc3ZhciBpZnQuIHByb2Zlc3Npb25lbGxlIHBhcnRlci4wgZcGA1UdHwSBjzCBjDAuoCygKoYoaHR0cDovL2NybC5pY2EwNC50cnVzdDI0MDguY29tL2ljYTA0LmNybDBaoFigVqRUMFIxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxHTAbBgNVBAMMFFRSVVNUMjQwOCBPQ0VTIENBIElWMRAwDgYDVQQDDAdDUkwzMDgzMB8GA1UdIwQYMBaAFFy7dWIWMpmqNqC4mvtvpwxf8ArVMB0GA1UdDgQWBBR2bXVUcWt5i4zO9J9kpBrq5fJufDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBQ015R55ZZ+83w+eR/CNfZx9ykOKHqf70bOpM9yu7UxG2teAAE+4xA8Zt/F/SPbtLbxAZLkSBevmX4oVVYtNn6C0HrS8V/Gt65rS7VxEI/vBttD0EOOvwxJPW61wM4f5EXY84XZPzL9UY3ErjhDvz3W6trxYNp5wS1V4x85SI8WCesNXjryMHphPakK252IOTXvuybGNjyVwQL3DGI9i/DcOxzIPi0CaBlBEVUTvggR9E7v4P/YpxvQyrerqtEfy8PIJ/a2lysCyoMeeg0TTq5A51BK25SlWzo0muyJ7tbKuRLkPfGtuSq8uGfBBVyouNl4/nH0QDoU9mHDP17gSZZ</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">SERIALNUMBER=CVR:78834412-FID:93554192 + CN=Columna Cura Aalborg Uddannelse (funktionscertifikat), O=SYSTEMATIC A/S // CVR:78834412, C=DK</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<SubjectConfirmationData xmlns:a="http://www.w3.org/2001/XMLSchema-instance" NotBefore="2022-05-23T08:02:22.134Z" NotOnOrAfter="2022-05-23T16:02:22.134Z" Recipient="http://ehealth.sundhed.dk/service/CareGateway/1" a:type="KeyInfoConfirmationDataType">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIGJTCCBQ2gAwIBAgIEXl36YDANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MR0wGwYDVQQDDBRUUlVTVDI0MDggT0NFUyBDQSBJVjAeFw0yMjA1MDYwOTI4MDFaFw0yNTA1MDYwOTI3MDlaMIGYMQswCQYDVQQGEwJESzEnMCUGA1UECgweU1lTVEVNQVRJQyBBL1MgLy8gQ1ZSOjc4ODM0NDEyMWAwIAYDVQQFExlDVlI6Nzg4MzQ0MTItRklEOjkzNTU0MTkyMDwGA1UEAww1Q29sdW1uYSBDdXJhIEFhbGJvcmcgVWRkYW5uZWxzZSAoZnVua3Rpb25zY2VydGlmaWthdCkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCFuzhnWzMF74WPNIomwFTDmLq5gWwWT1XUHqYC5KYl5Ju7oJlgG8gZTYslWX4moZrQPL6G1sXI3o9xRQPlq8Sw7b2ettdUAQZcaMH6t1L4FpGA5hoy6IRsI1OZoaX9z29wRUfrpEXmMODuanwHnNyVVmx1fVQV9NkoqxdzXPdFv6vp3419yg1Zvwdcq5CDdXW3WVw5iWPb/6jznHpNI6+behvoZF6oeOMFIX8pAOYeMltpQrTdY1EDyIle50MWlyhsItYFO3Ja6NSVwB8jbgnUaFm6Ix/ANC+NqXdypZ1CWVsFvTqYQvKIrEQdtQshD4fHfpsnLzo2+1B+r6VQAgeZAgMBAAGjggLMMIICyDAOBgNVHQ8BAf8EBAMCA7gwgYkGCCsGAQUFBwEBBH0wezA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AuaWNhMDQudHJ1c3QyNDA4LmNvbS9yZXNwb25kZXIwQgYIKwYBBQUHMAKGNmh0dHA6Ly9mLmFpYS5pY2EwNC50cnVzdDI0MDguY29tL29jZXMtaXNzdWluZzA0LWNhLmNlcjCCAUMGA1UdIASCATowggE2MIIBMgYKKoFQgSkBAQEEAzCCASIwLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cudHJ1c3QyNDA4LmNvbS9yZXBvc2l0b3J5MIHuBggrBgEFBQcCAjCB4TAQFglUUlVTVDI0MDgwAwIBARqBzEZvciBhbnZlbmRlbHNlIGFmIGNlcnRpZmlrYXRldCBn5mxkZXIgT0NFUyB2aWxr5XIsIENQUyBvZyBPQ0VTIENQLCBkZXIga2FuIGhlbnRlcyBmcmEgd3d3LnRydXN0MjQwOC5jb20vcmVwb3NpdG9yeS4gQmVt5nJrLCBhdCBUUlVTVDI0MDggZWZ0ZXIgdmlsa+VyZW5lIGhhciBldCBiZWdy5m5zZXQgYW5zdmFyIGlmdC4gcHJvZmVzc2lvbmVsbGUgcGFydGVyLjCBlwYDVR0fBIGPMIGMMC6gLKAqhihodHRwOi8vY3JsLmljYTA0LnRydXN0MjQwOC5jb20vaWNhMDQuY3JsMFqgWKBWpFQwUjELMAkGA1UEBhMCREsxEjAQBgNVBAoMCVRSVVNUMjQwODEdMBsGA1UEAwwUVFJVU1QyNDA4IE9DRVMgQ0EgSVYxEDAOBgNVBAMMB0NSTDY4MDIwHwYDVR0jBBgwFoAUXLt1YhYymao2oLia+2+nDF/wCtUwHQYDVR0OBBYEFBTtUctEIgLEIaYeP5dwe4tt4AP1MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAK3FNLf0N4V53L2gaULh4a2pGaEIMgFzTPPZampcgRh/8tawh8pg0n8E/7I9TL1TBnNsy1SxtqjVLSaLo32eqd0nG/msVoOsCWSQnplbdg8n9pXrxsLpgD2pChQ4e7fDf63VU6nAny2is/Xpag3o9WN77qVf8Le9MqqT2e4GwlyG3Pn3vLVDfe3BccasazPSaOOOaWN7ZIuuNSx0gViwShwFtT73CrMSdIg1oWJsFhZ9o6Tuh514GmWDSrfd/7qI4mK1BML4+hgopXquqifTjr9jbb6c8LtP1veHCXOaEZ01cRyyoChzU2Q3CYEKcG+5qpuXOpXTP8dcGXB4M2QKHaI=</X509Certificate>
</X509Data>
</KeyInfo>
</SubjectConfirmationData>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2022-05-23T08:02:22.134Z" NotOnOrAfter="2022-05-23T16:02:22.134Z">
<AudienceRestriction>
<Audience>http://ehealth.sundhed.dk/service/CareGateway/1</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="dk:gov:saml:attribute:CvrNumberIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>29189420</AttributeValue>
</Attribute>
<Attribute Name="dk:gov:saml:attribute:AssuranceLevel" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>3</AttributeValue>
</Attribute>
<Attribute Name="dk:gov:saml:attribute:SpecVer" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>DK-SAML-2.0</AttributeValue>
</Attribute>
<Attribute Name="dk:gov:saml:attribute:KombitSpecVer" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>1.0</AttributeValue>
</Attribute>
<Attribute Name="dk:gov:saml:attribute:Privileges_intermediate" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48YnBwOlByaXZpbGVnZUxpc3QgeG1sbnM6YnBwPSJodHRwOi8vaXRzdC5kay9vaW9zYW1sL2Jhc2ljX3ByaXZpbGVnZV9wcm9maWxlIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48UHJpdmlsZWdlR3JvdXAgU2NvcGU9InVybjpkazpnb3Y6c2FtbDpjdnJOdW1iZXJJZGVudGlmaWVyOjI5MTg5NDIwIj48UHJpdmlsZWdlPmh0dHA6Ly9laGVhbHRoLnN1bmRoZWQuZGsvcm9sZXMvc2VydmljZXN5c3RlbXJvbGUvY2FyZV9kZWxpdmVyeV9yZXBvcnRlcl9zeXN0ZW0vMTwvUHJpdmlsZWdlPjwvUHJpdmlsZWdlR3JvdXA+PC9icHA6UHJpdmlsZWdlTGlzdD4=</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2022-05-23T08:02:22.134Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>@aonsystematic it also looks good to me. I would suggest going through each parameter in the token request to double check that everything is correct, that is:
aonsystematic
commented
2 years ago I'm unable to see any issues there either. Here it is:
base64 url encoded string from previous postEDIT: I looked into the The input bytes to the digest operation are null. This may be due to a problem with the Reference URI or its Transforms. seems to be a warning rather than an actual error. Is the exception caught by the server and not logged perhaps?
nigtrifork
commented
2 years ago @aonsystematic yes maybe that warning is a false flag. I have been able to reproduce the error by omitting the client id from the request, but we have already checked the request. I'm assuming that you are using the same implementation for both clients?
aonsystematic
commented
2 years ago I've been asked to move this discussion to an issue instead of the pull request, so here it is:https://github.com/trifork/klg-docs/issues/38
I also mention it there, but the implementation is infact the same, for both clients
add test certificate for Cura Aalborg Udd environment