I am observing that extra non base64 char are appended to payload. If i remove them then I am able to verify signature. Can someone suggest if this is CAS issue or issue in my configurations ?
JWT:eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJpdmVyYXNlIiwiaXNGcm9tTmV3TG9naW4iOiJ0cnVlIiwiYXV0aGVudGljYXRpb25EYXRlIjoiMjAxOC0xMi0xN1QxMzowNTowOS43MzkrMDE6MDBbRXVyb3BlXC9CZXJsaW5dIiwicm9sZXMiOlsidXNlciIsImFjZV9vcGVyYXRvciIsIkFSQ0hJVkVfT1BFUkFUT1IiLCJQSEFTRTNfT1BFUkFUT1IiLCJHTkxUX1VTRVIiLCJDQVRBTE9HVUVfT1BFUkFUT1IiLCJhc21fdXNlciJdLCJzdWNjZXNzZnVsQXV0aGVudGljYXRpb25IYW5kbGVycyI6IkVTTyBBdXRoIEhhbmRsZXIiLCJpc3MiOiJodHRwczpcL1wvY2FzLmV4YW1wbGUub3JnOjg0NDNcL3NzbyIsImNyZWRlbnRpYWxUeXBlIjoiVXNlcm5hbWVQYXNzd29yZENyZWRlbnRpYWwiLCJhdWQiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODg4OFwvYXBpIiwiaXNJbXBlcnNvbmF0aW5nIjoiZmFsc2UiLCJhdXRoZW50aWNhdGlvbk1ldGhvZCI6IkVTTyBBdXRoIEhhbmRsZXIiLCJsb25nVGVybUF1dGhlbnRpY2F0aW9uUmVxdWVzdFRva2VuVXNlZCI6ImZhbHNlIiwiZXhwIjoxNTQ1MDc3MTEwLCJpYXQiOjE1NDUwNDgzMTAsImp0aSI6IlNULTEtYUZwSnRnRXFXTHc3VUREVlN3VnB4SGZucDhnR0EwMjI1ODcifQ %3D%3D .WB71awCAFz2tsa1ZqoZnWacKKVAarjsylBuOvnetHf9CHsIFgYtg58-2hCbeJT-gMFlCzaolriDsks1bE_RIPw If I remove '%3D%3D' from JWT then verification succeeds. On Sat, Dec 15, 2018 at 4:14 PM William E. <[email protected]> wrote: > I think you are seeing the discrepancy due to base64 vs. base64url > decoding. I think the jwt spec. wants base64 url vs. plain base64. > > https://en.wikipedia.org/wiki/Base64#URL_applications > > > On Friday, December 14, 2018 at 9:37:45 AM UTC-6, Devendra Sisodia wrote: >> >> While decoding JWT there is error "Bad Base64 input character decimal 37 >> in array position 806" Which means 37(%) is not allowed in encoded base 64 >> string in JWT. >> >> My JWT looks like below and yellow highlighted is the 806th element that >> cannot be base 64 decode. >> >> eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJpdmVyYXNlI<string>NTg3In0%3D. >> UmNz8ikEOFYqPgHRmZb1SK6A1pRFu48fSfYTasMGYHKtg7V8JepAfwunXwFeHsx5JTi4yKBug1Tq9PqfdY93lA >> >> On Fri, Dec 14, 2018 at 2:11 PM Giuseppe Infurna <[email protected]> >> wrote: >> >>> >>> i'm using io.jsonwebtoken.jjwt library >>> >>> Jwts.parser().setSigningKey(<yourSecretKey>).parseClaimsJws(<yourJwt>); >>> >>> >>> >>> Il giorno venerdì 14 dicembre 2018 14:02:14 UTC+1, Devendra Sisodia ha >>> scritto: >>>> >>>> Hello, >>>> >>>> Big Thanks for sharing configuration and as a result JWT is not >>>> encrypted and only signed. >>>> >>>> But now I face strange issue. when I try to verify signature it fails. >>>> I am using AES and single key to sign and JWT is generated. But the >>>> generate JWT fails signature verification. >>>> >>>> JWT generated as below: >>>> 2018-12-14 12:33:00,684 DEBUG >>>> [org.apereo.cas.token.JWTTokenTicketBuilder] - <Locating service [ >>>> http://localhost:8888/api] in service registry> >>>> 2018-12-14 12:33:00,685 DEBUG >>>> [org.apereo.cas.token.JWTTokenTicketBuilder] - <Locating service specific >>>> signing and encryption keys for [http://localhost:8888/api] in service >>>> registry> >>>> 2018-12-14 12:33:00,690 WARN >>>> [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Encryption is not >>>> enabled for [Token/JWT Tickets]. The cipher >>>> [RegisteredServiceTokenTicketCipherExecutor] will only attempt to produce >>>> signed objects> >>>> 2018-12-14 12:33:00,690 WARN >>>> [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Signing is not >>>> enabled for [Token/JWT Tickets]. The cipher >>>> [RegisteredServiceTokenTicketCipherExecutor] will attempt to produce plain >>>> objects> >>>> 2018-12-14 12:33:00,690 DEBUG >>>> [org.apereo.cas.token.JWTTokenTicketBuilder] - <Encoding JWT based on >>>> default global keys for [http://localhost:8888/api]> >>>> 2018-12-14 12:33:00,734 DEBUG >>>> [org.apereo.cas.authentication.principal.DefaultResponse] - <Sanitized URL >>>> for redirect response is [http://localhost:8888/api]> >>>> 2018-12-14 12:33:00,736 DEBUG >>>> [org.apereo.cas.authentication.principal.DefaultResponse] - <Final redirect >>>> response is [ >>>> http://localhost:8888/api?redirect=true&ticket=eyJhbGciOiJSUzUxMiJ9 >>>> >>>> Verfication code used is: >>>> final Key key = new AesKey(jwtSigning.getBytes(StandardCharsets.UTF_8)); >>>> >>>> final JsonWebSignature jws = new JsonWebSignature(); >>>> jws.setCompactSerialization(secureJwt); >>>> jws.setKey(key); >>>> if (!jws.verifySignature()) { >>>> throw new Exception("JWT verification failed"); >>>> } >>>> >>>> On Thu, Dec 13, 2018 at 3:40 PM Giuseppe Infurna <[email protected]> >>>> wrote: >>>> >>>>> >>>>> yes >>>>> >>>>> >>>>> ###Token/JWT Tickets ENCRIPTION >>>>> cas.authn.token.crypto.enabled=true >>>>> >>>>> cas.authn.token.crypto.signing-enabled=true >>>>> cas.authn.token.crypto.signing.key= >>>>> Dkkpi7iUKqidOXXmeAbr4RyHirYmgQgqqUrIo6q_JPNks2iqX2l95jVVoZQDWLNiFnhQF43agCtdMxRnIXOO9g >>>>> >>>>> cas.authn.token.crypto.encryption-enabled=false >>>>> cas.authn.token.crypto.encryption.key= >>>>> >>>>> and >>>>> >>>>> { >>>>> "@class" : "org.apereo.cas.services.RegexRegisteredService", >>>>> "serviceId" : "^(http|https)://?localhost(:8081|:9060|:9000)?/.*", >>>>> "name" : "myApplication", >>>>> "theme" : "myApplication", >>>>> "id" : 10000003, >>>>> "description" : "My Application", >>>>> "evaluationOrder" : 1, >>>>> "usernameAttributeProvider" : { >>>>> "@class" : >>>>> "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider" >>>>> }, >>>>> "attributeReleasePolicy" : { >>>>> "@class" : >>>>> "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" >>>>> }, >>>>> "accessStrategy" : { >>>>> "@class" : >>>>> "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy", >>>>> "enabled" : true, >>>>> "ssoEnabled" : true >>>>> }, >>>>> "proxyPolicy" : { >>>>> "@class" : >>>>> "org.jasig.cas.services.RegexMatchingRegisteredServiceProxyPolicy", >>>>> "pattern" : "^(http|https)?://.*" >>>>> }, >>>>> "properties" : { >>>>> "@class" : "java.util.HashMap", >>>>> "jwtAsServiceTicket" : { >>>>> "@class" : >>>>> "org.apereo.cas.services.DefaultRegisteredServiceProperty", >>>>> "values" : [ "java.util.HashSet", [ "true" ] ] >>>>> } >>>>> } >>>>> } >>>>> >>>>> >>>>> >>>>> Il giorno giovedì 13 dicembre 2018 14:55:49 UTC+1, Devendra Sisodia ha >>>>> scritto: >>>>>> >>>>>> Sorry, but this does not work. >>>>>> How's your service(one with definition of 'jwtAsServiceTicket', etc) >>>>>> looks like ? >>>>>> >>>>>> >>>>>> On Thu, Dec 13, 2018 at 2:09 PM Giuseppe Infurna < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi all, >>>>>>> I'm work fine with >>>>>>> >>>>>>> cas.authn.token.crypto.encryption-enabled=false >>>>>>> cas.authn.token.crypto.encryption.key= >>>>>>> >>>>>>> >>>>>>> Il giorno lunedì 12 novembre 2018 16:44:10 UTC+1, Xavier Rodríguez >>>>>>> ha scritto: >>>>>>>> >>>>>>>> I'm configuring Cas Server 5.3.3. In one service I need to response >>>>>>>> a JWT without encryption. Is it possible? >>>>>>>> >>>>>>>> I have changed in cas.properties: >>>>>>>> >>>>>>>> cas.authn.token.crypto.encryptionEnabled=false >>>>>>>> >>>>>>>> But it not has effect. In my service I don't configure the property >>>>>>>> too: >>>>>>>> >>>>>>>> "jwtAsServiceTicketEncryptionKey" >>>>>>>> >>>>>>>> How can I disable this property? >>>>>>>> >>>>>>>> Regards! >>>>>>>> >>>>>>>> - Xavier - >>>>>>>> >>>>>>> -- >>>>>>> - Website: https://apereo.github.io/cas >>>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>>>> - Contributions: https://goo.gl/mh7qDG >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "CAS Community" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0cdbba7e-75b3-4a5f-9e4b-c68b9e8a233a%40apereo.org >>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/0cdbba7e-75b3-4a5f-9e4b-c68b9e8a233a%40apereo.org?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> -- >>>>>> >>>>> - Website: https://apereo.github.io/cas >>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>> - Contributions: https://goo.gl/mh7qDG >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "CAS Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc5f9360-536c-4c27-89bd-d6b69c99089f%40apereo.org >>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc5f9360-536c-4c27-89bd-d6b69c99089f%40apereo.org?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> >>>> >>>> >>>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/202650b5-d998-4539-af60-50218543325f%40apereo.org >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/202650b5-d998-4539-af60-50218543325f%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c28790e-89e4-41c5-ba72-3f06ef76a3b1%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c28790e-89e4-41c5-ba72-3f06ef76a3b1%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CACE83cXMSk-%3DS6U9SOQMp%2BOqGuoHxxiZ4-XezzMMFPkA4zxGPA%40mail.gmail.com.
