Token Exchange and Elliptic Curve public key

[apoddany]

When implementing a token exchange on an applications in Gravitee AM, the public key used to signed the token is an Elliptic Curve one but on the configuration only ssh-rsa and ssh-dsa keys are accepted.

[exalate-issue-sync]

Eric commented: Need to be tested using RSA & EC certificate.

• for RSA certificate, you can use the default one generated by the domain
• for EC, here is the commands to generate one:

{noformat}openssl ecparam -name prime256v1 -genkey -noout -out ec-prime256v1-key.pem
openssl req -new -x509 -key ec-prime256v1-key.pem -out certificate.pem -days 30 -subj "/C=FR/ST=Nord/L=Lille/O=MyOrganization/CN=CommonName"
cat ec-prime256v1-key.pem certificate.pem > certificate-private.pem
openssl pkcs12 -export -inkey ec-prime256v1-key.pem -in certificate-private.pem -out certificate-private.p12 -name am-server{noformat}

How to test:

create an ExtensionGrant plugin

!image-20230118-162241.png|width=1289,height=752!

2. in the plugin settings, copy the value of the public certificate used by the app (if certificate use RSA, the value must be prefixed by 'ssh-rsa ', if it is ElypticCurve, the value must be prefixed by 'ecdsa ')

!image-20230118-162428.png|width=1253,height=869!

!image-20230118-162443.png|width=1304,height=714!

3. Enable this Grant extension on the application

!image-20230118-163009.png|width=1240,height=694!

4. Initiate login flow and get an access_token for a user

5. use this access_token to generate a new one

{noformat}curl -X POST \

http://localhost:8092/domain/oauth/token \

-H 'Authorization: Basic PUT_HERE_BASE64(clientid:clientsecret)' \

-H 'Content-Type: application/x-www-form-urlencoded' \

-d 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=PUT_HERE_YOUR_ACCESS_TOKEN'{noformat}

You should get a new access_token with the same claims as the one present in the one received at step 4 (excepted for claims jit, iat, exp)

[exalate-issue-sync]

Sagar Chauhan commented: CC [~accountid:62b02ba1a58208122d9f6329]
Hi [~accountid:624eebd3f6a269006961b268]

Given an incorrect public key is defined in the Extension Grant, if a user authenticates using app1 access_token into the second oauth/token call, then the user Is presented with Status 500 Internal Server Error without any specific error.
Can you please confirm how you would like to move forward with this and if we should be displaying another status code with a specific error message?

!Screenshot 2023-01-24 at 18.28.57.png|width=1316,height=513!

[exalate-issue-sync]

Ashraful Hasan commented: [~accountid:634e874659c794184bc7f1e7] , I think we can create a bug to fix it in the future release [not this week scheduled release]. This is a blocking feature for the customer and tt is very unlikely that someone will provide a wrong public key. [~accountid:624eebd3f6a269006961b268] may have another view.

[exalate-issue-sync]

Sagar Chauhan commented: [~accountid:62b02ba1a58208122d9f6329] I agree with you. I will create a bug. Thank you.

[exalate-issue-sync]

Sagar Chauhan commented: Environment 3.18.x
Version 3.18.15

---

Testing complete (/)
1 bug has been raised - will be fixed in a future release - [https://gravitee.atlassian.net/browse/AM-406|https://gravitee.atlassian.net/browse/AM-406|smart-link]