Hi Nick, I am testing with self-signed certificates in internal network, with IP only. Comparing with updating the SAN in server certificate is extra work, skipping the certificate validation is preferred. Of course, it is for testing use only.
I followed Ryan’s guide to skip signature verification, and it works for me. Thanks, Yang > On Jul 23, 2019, at 23:36, Nick Couchman <[email protected]> wrote: > > On Tue, Jul 23, 2019 at 9:13 AM Yang Yang <[email protected] > <mailto:[email protected]>> wrote: > Hello, > > I’m testing OpenID Connect Authentication with https on, and got the problem > below. Could you help to tell how to disable ssl certificate verification? Is > there a “ssl_verify” flag that I can turn off? > > 17:11:56.117 [http-nio-8080-exec-2] DEBUG org.jose4j.http.Get - HTTP GET of > https://119.3.69.8:8443/auth/realms/Supra/protocol/openid-connect/certs > <https://119.3.69.8:8443/auth/realms/Supra/protocol/openid-connect/certs> > 17:11:56.125 [http-nio-8080-exec-2] INFO o.a.g.a.o.t.TokenValidationService > - Rejected invalid OpenID token: Unable to process JOSE object (cause: > org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable > verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" : > "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"} due to an unexpected exception > (javax.net.ssl.SSLHandshakeException: > java.security.cert.CertificateException: No subject alternative names > present) while obtaining or using keys from JWKS endpoint at > https://MY-OIDC-SERVER-URI/openid-connect/certs > <https://my-oidc-server-uri/openid-connect/certs>): > JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" : > "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"}->eyJhbGci...34IfpdFF8g > 17:11:56.128 [http-nio-8080-exec-2] DEBUG o.a.g.a.o.t.TokenValidationService > - Invalid JWT received. > org.jose4j.jwt.consumer.InvalidJwtException: Unable to process JOSE object > (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable > verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" : > "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"} due to an unexpected exception > (javax.net.ssl.SSLHandshakeException: > java.security.cert.CertificateException: No subject alternative names > present) while obtaining or using keys from JWKS endpoint at > https://MY-OIDC-SERVER-URI/openid-connect/certs > <https://my-oidc-server-uri/openid-connect/certs>): > JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" : > "4SUxbbXKnge_r1h1jgjQOUYQk7yg_bHnqBIZTFSPbxY"}->eyJhbGci…34IfpdFF8g > > > No, there is no such flag to disable verification, and I doubt you would want > it. The error you're getting isn't because the certificate isn't trusted, > it's because it doesn't have all of the information expected - namely, > Subject Alternative Names. > > You can make sure that your OID server certificate is added to the Java > cacerts keystore, and see if that helps, but I suspect that you need to > resolve the issue with the response missing the SAN attribute. > > -Nick
