Greetings, I was doing a prototype of using CAS 7.1.2 to act as a provider
for the Oauth Token Exchange flow. In my prototype I had established a
service with the client_credentials flow so that I could easily retrieve an
access token to use for the subject_token.
In my first attempt I had provided a JWT token with a subject_token_type
of urn:ietf:params:oauth:token-type:jwt and I recieved an error stating
that it was an invalid ticket like so:
2024-12-27 16:06:59,279 ERROR
[org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController]
- <INVALID_TICKET
AbstractTicketRegistry.java:getTicket:121
DirectMethodHandleAccessor.java:invoke:103
Method.java:invoke:580
AopUtils.java:invokeJoinpointUsingReflection:355
I then changed my subject token to an opaque token and was able to get the
exchange to work.
The next thing I tried was to supply the subject_token_type
of urn:ietf:params:oauth:token-type:jwt and provide a jwt token as the
subject_token. This time I bypassed the above error and encountered an
issue where the CAS Token validator was expecting the "nbf" claim to be on
the JWT. I looked through the code and documentation and could not find any
ways to add the "nbf" claim into the JWT token. All of the JWT tokens I had
generated from CAS using the client_credentials grant.
2024-12-27 13:33:52,652 ERROR
[org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController]
- <JWT missing required claims: [nbf]>
com.nimbusds.jwt.proc.BadJWTException: JWT missing required claims: [nbf]
at
com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier.verify(DefaultJWTClaimsVerifier.java:311)
at
org.apereo.cas.support.oauth.validator.token.OAuth20TokenExchangeGrantTypeTokenRequestValidator.extractRegisteredService(OAuth20TokenExchangeGrantTypeTokenRequestValidator.java:87)
at
org.apereo.cas.support.oauth.validator.token.OAuth20TokenExchangeGrantTypeTokenRequestValidator.validateInternal(OAuth20TokenExchangeGrantTypeTokenRequestValidator.java:53)
at
org.apereo.cas.support.oauth.validator.token.BaseOAuth20TokenRequestValidator.validate(BaseOAuth20TokenRequestValidator.java:72)
at
org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController.verifyAccessTokenRequest(OAuth20AccessTokenEndpointController.java:217)
at
org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController.handleRequest(OAuth20AccessTokenEndpointController.java:100)
at
java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
at java.base/java.lang.reflect.Method.invoke(Method.java:580)
>From this I am ultimately trying to understand if CAS can be configured to
support the token exchange grant when using JWT access tokens as the
subject_token?
Let me know if I can provide any additional information.
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8423ee4e-8451-44ea-863d-fd98c50dc6fbn%40apereo.org.
