Re: Disable SSL certificate verification with OpenID Connect Authentication

Tue, 23 Jul 2019 08:37:51 -0700 

On Tue, Jul 23, 2019 at 9:13 AM Yang Yang <[email protected]> wrote:

> Hello,
>
> I’m testing OpenID Connect Authentication with https on, and got the
> problem below. Could you help to tell how to disable ssl certificate
> verification? Is there a “ssl_verify” flag that I can turn off?
>
> 17:11:56.117 [http-nio-8080-exec-2] DEBUG org.jose4j.http.Get - HTTP GET
> of https://119.3.69.8:8443/auth/realms/Supra/protocol/openid-connect/certs
> 17:11:56.125 [http-nio-8080-exec-2] INFO
>  o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: Unable
> to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException:
> Unable to find a suitable verification key for JWS w/ header
> {"alg":"RS256","typ" : "JWT","kid" :
> "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"} due to an unexpected
> exception (javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateException: No subject alternative names
> present) while obtaining or using keys from JWKS endpoint at
> https://MY-OIDC-SERVER-URI/openid-connect/certs):
> JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" :
> "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"}->eyJhbGci...34IfpdFF8g
> 17:11:56.128 [http-nio-8080-exec-2] DEBUG
> o.a.g.a.o.t.TokenValidationService - Invalid JWT received.
> org.jose4j.jwt.consumer.InvalidJwtException: Unable to process JOSE object
> (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable
> verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" :
> "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"} due to an unexpected
> exception (javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateException: No subject alternative names
> present) while obtaining or using keys from JWKS endpoint at
> https://MY-OIDC-SERVER-URI/openid-connect/certs):
> JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" :
> "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"}->eyJhbGci…34IfpdFF8g
>
>
No, there is no such flag to disable verification, and I doubt you would
want it.  The error you're getting isn't because the certificate isn't
trusted, it's because it doesn't have all of the information expected -
namely, Subject Alternative Names.

You can make sure that your OID server certificate is added to the Java
cacerts keystore, and see if that helps, but I suspect that you need to
resolve the issue with the response missing the SAN attribute.

-Nick

Reply via email to