Hi, that happened to me while i was attempting by mistake to validate the Jwt as if it was a ST. Actually Jwt is not intended to be validated against CAS, because its authenticity is granted by its signature (https://apereo.github.io/cas/6.0.x/installation/Configure-ServiceTicket-JWT.html).
Could you try to authenticate over cas with your client app turned off and see if the Jwt is returned? cheers Michele On Wednesday, January 30, 2019 at 8:50:11 PM UTC+1, srmudigan wrote: > > Hi, > > I am using CAS overlay 5.2.x and I am trying to use JWT token for single > sign on. I configured the cas.properties with signing key and encryption > key. Also add the service json with keys. I see that JWT is getting > generated but seems like the validation is failing. I am new to the CAS, so > can any body please let me know how do we validate the JWT on CAS server. I > see the following audit trail: > > WHO: audit:unknown > WHAT: [event=success,timestamp=Wed Jan 30 13:25:36 EST > 2019,source=RankedAuthenticationProviderWebflowEventResolver] > ACTION: AUTHENTICATION_EVENT_TRIGGERED > APPLICATION: CAS > WHEN: Wed Jan 30 13:25:36 EST 2019 > CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 > SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 > > WHO: testuser > WHAT: Supplied credentials: [testuser] > ACTION: AUTHENTICATION_SUCCESS > APPLICATION: CAS > WHEN: Wed Jan 30 13:27:03 EST 2019 > CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 > SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 > > WHO: testuser > WHAT: > TGT-1-*********************************************************o9ZO9-5-lg-hostname > ACTION: TICKET_GRANTING_TICKET_DESTROYED > APPLICATION: CAS > WHEN: Wed Jan 30 13:27:04 EST 2019 > CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 > SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 > > WHO: testuser > WHAT: > TGT-1-*********************************************************9AvnnUJ-eU-hostname > ACTION: TICKET_GRANTING_TICKET_CREATED > APPLICATION: CAS > WHEN: Wed Jan 30 13:27:04 EST 2019 > CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 > SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 > > WHO: testuser > WHAT: ST-1-5rXI2d9rn7Rf-BWXld2b6hct6xA-hostname for > http://localhost:8080/appname > ACTION: SERVICE_TICKET_CREATED > APPLICATION: CAS > WHEN: Wed Jan 30 13:27:04 EST 2019 > CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 > SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 > > WHO: testuser > WHAT: ST-1-5rXI2d9rn7Rf-BWXld2b6hct6xA-hostname > ACTION: SERVICE_TICKET_VALIDATED > APPLICATION: CAS > WHEN: Wed Jan 30 13:27:05 EST 2019 > CLIENT IP ADDRESS: 127.0.0.1 > SERVER IP ADDRESS: 127.0.0.1 > > Then I see this failed message (service ticket doesn't exist): > > 2019-01-30 13:27:05,396 DEBUG > [org.apereo.cas.AbstractCentralAuthenticationService] - <Attempting to > decode service ticket > [eyJhbGciOiJIUzUxMiJ9.eyJjcmVkZW50aWFsVHlwZSI6IlVzZXJuYW1lUGFzc3dvcmRDcmVkZW50aWFsIiwiYXVkIjoiaHR0cDpcL1wvbG9jYWxob3N0OjkwNTBcL2NhcnQtd2ViXC9jYXJ0SG9tZS5kbyIsInN1YiI6InNtdWRpZ2FuIiwiaXNGcm9tTmV3TG9naW4iOiJ0cnVlIiwiYXV0aGVudGljYXRpb25EYXRlIjoiMjAxOS0wMS0zMFQxMzoyNzowNC4xMzgtMDU6MDBbQW1lcmljYVwvTmV3X1lvcmtdIiwiYXV0aGVudGljYXRpb25NZXRob2QiOiJBY2NlcHRVc2Vyc0F1dGhlbnRpY2F0aW9uSGFuZGxlciIsInN1Y2Nlc3NmdWxBdXRoZW50aWNhdGlvbkhhbmRsZXJzIjoiQWNjZXB0VXNlcnNBdXRoZW50aWNhdGlvbkhhbmRsZXIiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2NhcyIsImxvbmdUZXJtQXV0aGVudGljYXRpb25SZXF1ZXN0VG9rZW5Vc2VkIjoiZmFsc2UiLCJleHAiOjE1NDg5MDE2MjUsImlhdCI6MTU0ODg3MjgyNSwianRpIjoiU1QtMS01clhJMmQ5cm43UmYtQldYbGQyYjZoY3Q2eEEtTllDLTdMLTU1Nzg4MDAzIn0=.d2h6CYWdYbDUvEdjnDpYpNKB7QIgfHU_ztYOeBN0dOp-H_p_Nwgnw1_kBoqXQytuPae4eyNeH05RiwUyQbOh-g] > > to verify authenticity> > 2019-01-30 13:27:05,396 WARN > [org.apereo.cas.DefaultCentralAuthenticationService] - <Service ticket > [eyJhbGciOiJIUzUxMiJ9.eyJjcmVkZW50aWFsVHlwZSI6IlVzZXJuYW1lUGFzc3dvcmRDcmVkZW50aWFsIiwiYXVkIjoiaHR0cDpcL1wvbG9jYWxob3N0OjkwNTBcL2NhcnQtd2ViXC9jYXJ0SG9tZS5kbyIsInN1YiI6InNtdWRpZ2FuIiwiaXNGcm9tTmV3TG9naW4iOiJ0cnVlIiwiYXV0aGVudGljYXRpb25EYXRlIjoiMjAxOS0wMS0zMFQxMzoyNzowNC4xMzgtMDU6MDBbQW1lcmljYVwvTmV3X1lvcmtdIiwiYXV0aGVudGljYXRpb25NZXRob2QiOiJBY2NlcHRVc2Vyc0F1dGhlbnRpY2F0aW9uSGFuZGxlciIsInN1Y2Nlc3NmdWxBdXRoZW50aWNhdGlvbkhhbmRsZXJzIjoiQWNjZXB0VXNlcnNBdXRoZW50aWNhdGlvbkhhbmRsZXIiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2NhcyIsImxvbmdUZXJtQXV0aGVudGljYXRpb25SZXF1ZXN0VG9rZW5Vc2VkIjoiZmFsc2UiLCJleHAiOjE1NDg5MDE2MjUsImlhdCI6MTU0ODg3MjgyNSwianRpIjoiU1QtMS01clhJMmQ5cm43UmYtQldYbGQyYjZoY3Q2eEEtTllDLTdMLTU1Nzg4MDAzIn0=.d2h6CYWdYbDUvEdjnDpYpNKB7QIgfHU_ztYOeBN0dOp-H_p_Nwgnw1_kBoqXQytuPae4eyNeH05RiwUyQbOh-g] > > does not exist.> > > WHO: audit:unknown > WHAT: > eyJhbGciOiJIUzUxMiJ9.eyJjcmVkZW50aWFsVHlwZSI6IlVzZXJuYW1lUGFzc3dvcmRDcmVkZW50aWFsIiwiYXVkIjoiaHR0cDpcL1wvbG9jYWxob3N0OjkwNTBcL2NhcnQtd2ViXC9jYXJ0SG9tZS5kbyIsInN1YiI6InNtdWRpZ2FuIiwiaXNGcm9tTmV3TG9naW4iOiJ0cnVlIiwiYXV0aGVudGljYXRpb25EYXRlIjoiMjAxOS0wMS0zMFQxMzoyNzowNC4xMzgtMDU6MDBbQW1lcmljYVwvTmV3X1lvcmtdIiwiYXV0aGVudGljYXRpb25NZXRob2QiOiJBY2NlcHRVc2Vyc0F1dGhlbnRpY2F0aW9uSGFuZGxlciIsInN1Y2Nlc3NmdWxBdXRoZW50aWNhdGlvbkhhbmRsZXJzIjoiQWNjZXB0VXNlcnNBdXRoZW50aWNhdGlvbkhhbmRsZXIiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2NhcyIsImxvbmdUZXJtQXV0aGVudGljYXRpb25SZXF1ZXN0VG9rZW5Vc2VkIjoiZmFsc2UiLCJleHAiOjE1NDg5MDE2MjUsImlhdCI6MTU0ODg3MjgyNSwianRpIjoiU1QtMS01clhJMmQ5cm43UmYtQldYbGQyYjZoY3Q2eEEtTllDLTdMLTU1Nzg4MDAzIn0=.d2h6CYWdYbDUvEdjnDpYpNKB7QIgfHU_ztYOeBN0dOp-H_p_Nwgnw1_kBoqXQytuPae4eyNeH05RiwUyQbOh-g > ACTION: SERVICE_TICKET_VALIDATE_FAILED > APPLICATION: CAS > WHEN: Wed Jan 30 13:27:05 EST 2019 > CLIENT IP ADDRESS: 127.0.0.1 > SERVER IP ADDRESS: 127.0.0.1 > > I felt like CAS server is trying validate the generated JWT but it's not > able find it. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0818d6ac-e623-4489-b7a4-5cbe7c70c9b7%40apereo.org.
