I am upgrading from 5.3 to 6.5 and having some issues with using the Jose4J
package to validate the JWTs. From what I can tell after the JWE decrypts
the JWT the content type header “cty” is “JWT” indicating that the JWT is
still in a nested state according to Jose4J.
—— Code
// Step 1: signature validation
JsonWebSignature jws = new JsonWebSignature();
jws.setCompactSerialization(jwtString);
jws.setKey(new
AesKey(jwtConfig.getSigningKey().getBytes(StandardCharsets.UTF_8)));
jws.setAlgorithmConstraints(AlgorithmConstraints.DISALLOW_NONE);
if (!jws.verifySignature()) {
logger.error(String.format("jwt have invalid signature:%s", jwtString));
return new ValidationDTO(false, false);
}
// Step 2: check if encryption is fine, but possibly a expired token
final byte[] decodedBytes =
Base64.decodeBase64(jws.getEncodedPayload().getBytes(StandardCharsets.UTF_8));
final String decodedPayload = new String(decodedBytes,
StandardCharsets.UTF_8);
final JsonWebKey jsonWebKey = JsonWebKey.Factory
.newJwk("\n" + "{\"kty\":\"oct\",\n" + " \"k\":\"" +
jwtConfig.getEncriptionKey() + "\"\n" + "}");
JwtConsumer maybeExpiredConsumer = new JwtConsumerBuilder()
.setSkipAllValidators()
.setDisableRequireSignature()
.setSkipSignatureVerification()
.setDecryptionKey(new AesKey(jsonWebKey.getKey().getEncoded()))
.setJweAlgorithmConstraints(
new AlgorithmConstraints(ConstraintType.WHITELIST,
KeyManagementAlgorithmIdentifiers.DIRECT))
.setJweContentEncryptionAlgorithmConstraints(
new AlgorithmConstraints(ConstraintType.WHITELIST,
ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256)) //this
have to match CAS configuration
.build();
JwtContext context = maybeExpiredConsumer.process(decodedPayload); // <<<<<
Exception thrown here. “Invalid JOSE Compact Serialization"
—— End Code
Invalid JWT:JWT processing failed. Additional details: [[17] Unable to
process nested JOSE object (cause: org.jose4j.lang.JoseException: Invalid
JOSE Compact Serialization. Expecting either 3 or 5 parts for JWS or JWE
respectively but was 14.):
{"clientIpAddress":"127.0.0.1","sub":"t...@test2121.com","authenticationDate":1659977730,"successfulAuthenticationHandlers":"careerAuthenticationHandler","iss":"https:\/\/jason.crengland.com\/cas","userAgent":"PostmanRuntime\/7.29.2","credentialType":"UsernamePasswordCredential","aud":"https:\/\/jason.crengland.com\/cas","authenticationMethod":"careerAuthenticationHandler","geoLocation":"unknown","serverIpAddress":"127.0.0.1","exp":1660006530,"iat":1659977730,"jti":"TGT-2-xxxxxxxxx-CREJDR-MBP2022"}]
org.jose4j.jwt.consumer.InvalidJwtException: JWT processing failed.
Additional details: [[17] Unable to process nested JOSE object (cause:
org.jose4j.lang.JoseException: Invalid JOSE Compact Serialization.
Expecting either 3 or 5 parts for JWS or JWE respectively but was 14.):
{"clientIpAddress":"127.0.0.1","sub":"t...@test2121.com","authenticationDate":1659977730,"successfulAuthenticationHandlers":"careerAuthenticationHandler","iss":"https:\/\/jason.crengland.com\/cas","userAgent":"PostmanRuntime\/7.29.2","credentialType":"UsernamePasswordCredential","aud":"https:\/\/jason.crengland.com\/cas","authenticationMethod":"careerAuthenticationHandler","geoLocation":"unknown","serverIpAddress":"127.0.0.1","exp":1660006530,"iat":1659977730,"jti":"TGT-2-xxxxxxxx-CREJDR-MBP2022"}]
at
org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:406)
~[jose4j-0.7.12.jar:na]
at
com.crengland.web.security.service.JWTValidationServiceImpl.validate(JWTValidationServiceImpl.java:93)
~[classes/:na]
at
com.crengland.web.security.service.JWTValidationServiceImpl$$FastClassBySpringCGLIB$$c0ab6de1.invoke(<generated>)
[classes/:na]
at
org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
[spring-core-5.3.2.jar:5.3.2]
…...
at java.lang.Thread.run(Thread.java:750) [na:1.8.0_332]
Caused by: org.jose4j.lang.JoseException: Invalid JOSE Compact
Serialization. Expecting either 3 or 5 parts for JWS or JWE respectively
but was 14.
at
org.jose4j.jwx.JsonWebStructure.fromCompactSerialization(JsonWebStructure.java:90)
~[jose4j-0.7.12.jar:na]
at
org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:320)
~[jose4j-0.7.12.jar:na]
... 70 common frames omitted
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4417af2c-d837-4a99-a554-f6161b92d5d2n%40apereo.org.
