You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When creating an OAuth2/OIDC authentication module, if you select client_secret as OpenID Connect validation configuration type, you need to add the client secret in clear text in the field OpenID Connect validation configuration value.
The help text for OpenID Connect validation configuration value is as follows:
NB If client_secret entered, entry is ignored and the value of the Client Secret is used.
That seems like the correct way to do it. But the observed behaviour when leaving the field empty or with another value than the client secret, is that validation of the token fails.
Steps to reproduce
Configure the OAuth2/OIDC authentication module.
Configure the module according to Authorization Server.
Select client_secret as OpenID Connect validation configuration type.
Leave OpenID Connect validation configuration value empty.
Access OAuth2/OpenID Connect authentication and authenticate on Authorization Server.
Expected Results
OAuth2/OIDC authentication is successful and the user profile screen is displayed.
Actual Results
JWT validation fails. As a result, authentication fails.
Debug Log
If OpenID Connect validation configuration value is empty
amLoginModule:04/09/2019 06:14:15:484 PM JST: Thread[http-bio-8080-exec-7,5,main]: TransactionId[8472e1f1-c604-42f3-bb3d-b12ef044b075-74]
WARNING: Cannot validate JWT
java.lang.NullPointerException
at java.util.concurrent.ConcurrentHashMap.get(ConcurrentHashMap.java:936)
at org.forgerock.openam.authentication.modules.oidc.OpenIdResolverCacheImpl.getResolverForIssuer(OpenIdResolverCacheImpl.java:66)
at org.forgerock.openam.authentication.modules.oidc.JwtHandler.validateJwt(JwtHandler.java:78)
at org.forgerock.openam.authentication.modules.oauth2.OAuth.process(OAuth.java:298)
at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1056)
at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1224)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:217)
at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:125)
at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:566)
at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:617)
at org.forgerock.openam.core.rest.authn.core.wrappers.AuthContextLocalWrapper.submitRequirements(AuthContextLocalWrapper.java:115)
at org.forgerock.openam.core.rest.authn.core.LoginProcess.next(LoginProcess.java:173)
at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:262)
at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:167)
at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.continueAuthentication(RestAuthenticationHandler.java:114)
at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:145)
If OpenID Connect validation configuration value is invalid
amAuth:04/09/2019 06:18:40:473 PM JST: Thread[http-bio-8080-exec-3,5,main]: TransactionId[8472e1f1-c604-42f3-bb3d-b12ef044b075-459]
WARNING: Verification of ID Token failed: org.forgerock.jaspi.modules.openid.exceptions.InvalidSignatureException: JWS signature not signed with supplied key
amLoginModule:04/09/2019 06:18:40:473 PM JST: Thread[http-bio-8080-exec-3,5,main]: TransactionId[8472e1f1-c604-42f3-bb3d-b12ef044b075-459]
WARNING: Cannot validate JWT
com.sun.identity.authentication.spi.AuthLoginException: Verification of the ID Token failed.
at org.forgerock.openam.authentication.modules.oidc.JwtHandler.validateJwt(JwtHandler.java:123)
at org.forgerock.openam.authentication.modules.oauth2.OAuth.process(OAuth.java:298)
at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1056)
at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1224)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:217)
at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:125)
at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:566)
at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:617)
at org.forgerock.openam.core.rest.authn.core.wrappers.AuthContextLocalWrapper.submitRequirements(AuthContextLocalWrapper.java:115)
at org.forgerock.openam.core.rest.authn.core.LoginProcess.next(LoginProcess.java:173)
at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:262)
at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:167)
at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.continueAuthentication(RestAuthenticationHandler.java:114)
at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:145)
Description
When creating an OAuth2/OIDC authentication module, if you select client_secret as OpenID Connect validation configuration type, you need to add the client secret in clear text in the field OpenID Connect validation configuration value.
The help text for
OpenID Connect validation configuration value
is as follows:That seems like the correct way to do it. But the observed behaviour when leaving the field empty or with another value than the client secret, is that validation of the token fails.
Steps to reproduce
Expected Results
OAuth2/OIDC authentication is successful and the user profile screen is displayed.
Actual Results
JWT validation fails. As a result, authentication fails.
Debug Log
If OpenID Connect validation configuration value is empty
If OpenID Connect validation configuration value is invalid
References
[OPENAM-9760] OpenID Connect validation configuration value" should not be used with client_secret
The text was updated successfully, but these errors were encountered: