I am upgrading from 5.3 to 6.5 and having some issues with using the Jose4J package to validate the JWTs. From what I can tell after the JWE decrypts the JWT the content type header “cty” is “JWT” indicating that the JWT is still in a nested state according to Jose4J.
—— Code // Step 1: signature validation JsonWebSignature jws = new JsonWebSignature(); jws.setCompactSerialization(jwtString); jws.setKey(new AesKey(jwtConfig.getSigningKey().getBytes(StandardCharsets.UTF_8))); jws.setAlgorithmConstraints(AlgorithmConstraints.DISALLOW_NONE); if (!jws.verifySignature()) { logger.error(String.format("jwt have invalid signature:%s", jwtString)); return new ValidationDTO(false, false); } // Step 2: check if encryption is fine, but possibly a expired token final byte[] decodedBytes = Base64.decodeBase64(jws.getEncodedPayload().getBytes(StandardCharsets.UTF_8)); final String decodedPayload = new String(decodedBytes, StandardCharsets.UTF_8); final JsonWebKey jsonWebKey = JsonWebKey.Factory .newJwk("\n" + "{\"kty\":\"oct\",\n" + " \"k\":\"" + jwtConfig.getEncriptionKey() + "\"\n" + "}"); JwtConsumer maybeExpiredConsumer = new JwtConsumerBuilder() .setSkipAllValidators() .setDisableRequireSignature() .setSkipSignatureVerification() .setDecryptionKey(new AesKey(jsonWebKey.getKey().getEncoded())) .setJweAlgorithmConstraints( new AlgorithmConstraints(ConstraintType.WHITELIST, KeyManagementAlgorithmIdentifiers.DIRECT)) .setJweContentEncryptionAlgorithmConstraints( new AlgorithmConstraints(ConstraintType.WHITELIST, ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256)) //this have to match CAS configuration .build(); JwtContext context = maybeExpiredConsumer.process(decodedPayload); // <<<<< Exception thrown here. “Invalid JOSE Compact Serialization" —— End Code Invalid JWT:JWT processing failed. Additional details: [[17] Unable to process nested JOSE object (cause: org.jose4j.lang.JoseException: Invalid JOSE Compact Serialization. Expecting either 3 or 5 parts for JWS or JWE respectively but was 14.): {"clientIpAddress":"127.0.0.1","sub":"t...@test2121.com","authenticationDate":1659977730,"successfulAuthenticationHandlers":"careerAuthenticationHandler","iss":"https:\/\/jason.crengland.com\/cas","userAgent":"PostmanRuntime\/7.29.2","credentialType":"UsernamePasswordCredential","aud":"https:\/\/jason.crengland.com\/cas","authenticationMethod":"careerAuthenticationHandler","geoLocation":"unknown","serverIpAddress":"127.0.0.1","exp":1660006530,"iat":1659977730,"jti":"TGT-2-xxxxxxxxx-CREJDR-MBP2022"}] org.jose4j.jwt.consumer.InvalidJwtException: JWT processing failed. Additional details: [[17] Unable to process nested JOSE object (cause: org.jose4j.lang.JoseException: Invalid JOSE Compact Serialization. Expecting either 3 or 5 parts for JWS or JWE respectively but was 14.): {"clientIpAddress":"127.0.0.1","sub":"t...@test2121.com","authenticationDate":1659977730,"successfulAuthenticationHandlers":"careerAuthenticationHandler","iss":"https:\/\/jason.crengland.com\/cas","userAgent":"PostmanRuntime\/7.29.2","credentialType":"UsernamePasswordCredential","aud":"https:\/\/jason.crengland.com\/cas","authenticationMethod":"careerAuthenticationHandler","geoLocation":"unknown","serverIpAddress":"127.0.0.1","exp":1660006530,"iat":1659977730,"jti":"TGT-2-xxxxxxxx-CREJDR-MBP2022"}] at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:406) ~[jose4j-0.7.12.jar:na] at com.crengland.web.security.service.JWTValidationServiceImpl.validate(JWTValidationServiceImpl.java:93) ~[classes/:na] at com.crengland.web.security.service.JWTValidationServiceImpl$$FastClassBySpringCGLIB$$c0ab6de1.invoke(<generated>) [classes/:na] at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) [spring-core-5.3.2.jar:5.3.2] …... at java.lang.Thread.run(Thread.java:750) [na:1.8.0_332] Caused by: org.jose4j.lang.JoseException: Invalid JOSE Compact Serialization. Expecting either 3 or 5 parts for JWS or JWE respectively but was 14. at org.jose4j.jwx.JsonWebStructure.fromCompactSerialization(JsonWebStructure.java:90) ~[jose4j-0.7.12.jar:na] at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:320) ~[jose4j-0.7.12.jar:na] ... 70 common frames omitted -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4417af2c-d837-4a99-a554-f6161b92d5d2n%40apereo.org.