I have the same issue. Did you manage to solve it ? Do global properties work ?
On Thu, Jul 22, 2021 at 5:20 PM Simon Rieu <[email protected]> wrote: > Hi everyone > > I'm currently using CAS version 6.3.2, I added the support for the Open > ID connect protocol which is based on the OAUTH2 protocol. > With the following configuration I'm able to generate a JWT access token > and a refresh token. My goal is to sign these tokens, encryption is not > needed. > So far so good, now from the ressource server I would like to check the > signature of these tokens. > When the Open ID connect protocol is active there is a endpoint on > /oidc/jwks which allow everybody to retrieve publics KEY (by default there > is one and it's a RSA key) > to do exactly that. My problem is that when I parse the JWT token > generated by the cas the algorithm used (extracted form the header section > of the JWT token) is not RSA : > > The parsed JWT indicates it was signed with the HS512 signature algorithm, > but the specified signing key of type > com.android.org.conscrypt.OpenSSLRSAPublicKey may not be used to validate > HS512 signatures. > Because the specified signing key reflects a specific and expected > algorithm, and the JWT does not reflect this algorithm, it is likely that > the JWT was not expected and therefore should not be trusted. Another > possibility is that the parser was configured with the incorrect signing > key, > but this cannot be assumed for security reasons. > > I tried to add the following configuration in my properties file to change > that > > cas.authn.oauth.access-token.crypto.alg=RSA (tried with RS512 too) > > and here is the whole section regarding crypto > > cas.authn.oauth.access-token.crypto.signing.key=... > cas.authn.oauth.access-token.create-as-jwt=true > cas.authn.oauth.access-token.crypto.encryption-enabled=false > cas.authn.oauth.access-token.crypto.signing-enabled=true > cas.authn.oauth.access-token.crypto.alg=RSA > > There is a section ( > https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties-Common.html#signing--encryption) > regarding RSA keys in the common properties to generate a private / public > key, but I don't know how to configure the cas > to use the public one (private on can be configured via the > cas.authn.oauth.access-token.crypto.signing.key) for oidc. > > Here is my service.json > > { > "@class" : "org.apereo.cas.services.OidcRegisteredService", > "serviceId" : "...", > "clientId" : "...", > "name" : "...", > "id" : 10000006, > "evaluationOrder" : 1, > "scopes" : [ "java.util.HashSet", ["email"]], > "bypassApprovalPrompt": true, > "generateRefreshToken": true, > "jwtAccessToken": true, > "properties" : { > "@class" : "java.util.HashMap", > "accessTokenAsJwtSigningKey" : { > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceProperty", > "values" : [ "java.util.HashSet", [ "..." ] ] > }, > "accessTokenAsJwtSigningEnabled" : { > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceProperty", > "values" : [ "java.util.HashSet", [ "true" ] ] > }, > "accessTokenAsJwtEncryptionEnabled" : { > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceProperty", > "values" : [ "java.util.HashSet", [ "false" ] ] > } > } > } > > Another strange behaviour is that to make jwt token generation works it > seems that some global properties are not sufficient > > cas.authn.oauth.access-token.crypto.signing.key=... > cas.authn.oauth.access-token.create-as-jwt=true > cas.authn.oauth.access-token.crypto.encryption-enabled=false > cas.authn.oauth.access-token.crypto.signing-enabled=true > > and we need the properties in the service to make it work > without the accessTokenAsJwtSigningKey I have an error (why since there is > already a key configured in properties ?!) > > org.jose4j.lang.InvalidAlgorithmException: Signature algorithm header > (alg) not set. > at > org.jose4j.jws.JsonWebSignature.getAlgorithm(JsonWebSignature.java:245) > ~[jose4j-0.7.2.jar!/:?] > at > org.jose4j.jws.JsonWebSignature.getAlgorithm(JsonWebSignature.java:231) > ~[jose4j-0.7.2.jar!/:?] > at org.jose4j.jws.JsonWebSignature.sign(JsonWebSignature.java:181) > ~[jose4j-0.7.2.jar!/:?] > at > org.jose4j.jws.JsonWebSignature.getCompactSerialization(JsonWebSignature.java:140) > ~[jose4j-0.7.2.jar!/:?] > at > org.apereo.cas.util.EncodingUtils.signJws(EncodingUtils.java:471) > ~[cas-server-core-util-api-6.3.2.jar!/:6.3.2] > at > org.apereo.cas.util.cipher.AbstractCipherExecutor.signWith(AbstractCipherExecutor.java:113) > ~[cas-server-core-util-api-6.3.2.jar!/:6.3.2] > at > org.apereo.cas.oidc.token.OidcRegisteredServiceJwtAccessTokenCipherExecutor$1.sign(OidcRegisteredServiceJwtAccessTokenCipherExecutor.java:140) > ~[cas-server-support-oidc-core-api-6.3.2.jar!/:6.3.2] > > "properties" : { > "@class" : "java.util.HashMap", > "accessTokenAsJwtSigningKey" : { > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceProperty", > "values" : [ "java.util.HashSet", [ "..." ] ] > }, > "accessTokenAsJwtSigningEnabled" : { > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceProperty", > "values" : [ "java.util.HashSet", [ "true" ] ] > }, > "accessTokenAsJwtEncryptionEnabled" : { > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceProperty", > "values" : [ "java.util.HashSet", [ "false" ] ] > } > } > > Maybe I need to use the jwk property : Optional. Resource path to the > keystore location that holds the keys for this application described in > https://apereo.github.io/cas/6.3.x/installation/OIDC-Authentication.html > But I dont know why I would need it... > > I tried many things, reading the source code but I'm hard stuck for 2 days > on the matter, if somebody could help me that would be great > > Thanks > > Simon > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a8bd95f-0b81-4b0a-8334-87b19a03102en%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a8bd95f-0b81-4b0a-8334-87b19a03102en%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGg9Wmzr1kZwTT1hp_0_HGjrGj%3DuJbA8A3qsgrLRcmQgFb7giw%40mail.gmail.com.
