Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When using client secret for signature in OAuth2/OIDC authentication module, it is necessary to set client secret in two fields #49

Closed
tsujiguchitky opened this issue Apr 10, 2019 · 1 comment
Closed

When using client secret for signature in OAuth2/OIDC authentication module, it is necessary to set client secret in two fields #49

tsujiguchitky opened this issue Apr 10, 2019 · 1 comment
Assignees
@tsujiguchitky
Milestone
OpenAM 14.0.0

Comments

@tsujiguchitky
Copy link
Contributor

Description

When creating an OAuth2/OIDC authentication module, if you select client_secret as OpenID Connect validation configuration type, you need to add the client secret in clear text in the field OpenID Connect validation configuration value.

The help text for OpenID Connect validation configuration value is as follows:

NB If client_secret entered, entry is ignored and the value of the Client Secret is used.

That seems like the correct way to do it. But the observed behaviour when leaving the field empty or with another value than the client secret, is that validation of the token fails.

Steps to reproduce

  1. Configure the OAuth2/OIDC authentication module.
    • Configure the module according to Authorization Server.
    • Select client_secret as OpenID Connect validation configuration type.
    • Leave OpenID Connect validation configuration value empty.
  2. Access OAuth2/OpenID Connect authentication and authenticate on Authorization Server.

Expected Results

OAuth2/OIDC authentication is successful and the user profile screen is displayed.

Actual Results

JWT validation fails. As a result, authentication fails.

Debug Log

If OpenID Connect validation configuration value is empty

amLoginModule:04/09/2019 06:14:15:484 PM JST: Thread[http-bio-8080-exec-7,5,main]: TransactionId[8472e1f1-c604-42f3-bb3d-b12ef044b075-74]
WARNING: Cannot validate JWT
java.lang.NullPointerException
        at java.util.concurrent.ConcurrentHashMap.get(ConcurrentHashMap.java:936)
        at org.forgerock.openam.authentication.modules.oidc.OpenIdResolverCacheImpl.getResolverForIssuer(OpenIdResolverCacheImpl.java:66)
        at org.forgerock.openam.authentication.modules.oidc.JwtHandler.validateJwt(JwtHandler.java:78)
        at org.forgerock.openam.authentication.modules.oauth2.OAuth.process(OAuth.java:298)
        at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1056)
        at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1224)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:217)
        at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:125)
        at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:566)
        at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:617)
        at org.forgerock.openam.core.rest.authn.core.wrappers.AuthContextLocalWrapper.submitRequirements(AuthContextLocalWrapper.java:115)
        at org.forgerock.openam.core.rest.authn.core.LoginProcess.next(LoginProcess.java:173)
        at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:262)
        at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:167)
        at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.continueAuthentication(RestAuthenticationHandler.java:114)
        at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:145)

If OpenID Connect validation configuration value is invalid

amAuth:04/09/2019 06:18:40:473 PM JST: Thread[http-bio-8080-exec-3,5,main]: TransactionId[8472e1f1-c604-42f3-bb3d-b12ef044b075-459]
WARNING: Verification of ID Token failed: org.forgerock.jaspi.modules.openid.exceptions.InvalidSignatureException: JWS signature not signed with supplied key
amLoginModule:04/09/2019 06:18:40:473 PM JST: Thread[http-bio-8080-exec-3,5,main]: TransactionId[8472e1f1-c604-42f3-bb3d-b12ef044b075-459]
WARNING: Cannot validate JWT
com.sun.identity.authentication.spi.AuthLoginException: Verification of the ID Token failed.
        at org.forgerock.openam.authentication.modules.oidc.JwtHandler.validateJwt(JwtHandler.java:123)
        at org.forgerock.openam.authentication.modules.oauth2.OAuth.process(OAuth.java:298)
        at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1056)
        at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1224)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:217)
        at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:125)
        at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:566)
        at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:617)
        at org.forgerock.openam.core.rest.authn.core.wrappers.AuthContextLocalWrapper.submitRequirements(AuthContextLocalWrapper.java:115)
        at org.forgerock.openam.core.rest.authn.core.LoginProcess.next(LoginProcess.java:173)
        at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:262)
        at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:167)
        at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.continueAuthentication(RestAuthenticationHandler.java:114)
        at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:145)

References

[OPENAM-9760] OpenID Connect validation configuration value" should not be used with client_secret
@tsujiguchitky tsujiguchitky added this to the OpenAM 14.0.0 milestone May 31, 2019
@tsujiguchitky tsujiguchitky self-assigned this Jul 30, 2019
@tsujiguchitky
Copy link
Contributor Author

This issue has been fixed in #181.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tsujiguchitky tsujiguchitky

Labels
None yet
Projects
None yet
Milestone
OpenAM 14.0.0
Development

No branches or pull requests
1 participant
@tsujiguchitky