Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add certificate for Cura Aalborg Udd environment #36

Closed
wants to merge 1 commit into from
Closed

add certificate for Cura Aalborg Udd environment #36

wants to merge 1 commit into from

Conversation

aonsystematic
Copy link

add test certificate for Cura Aalborg Udd environment

@aonsystematic
add certificate for Cura Aalborg Udd environment
eca9858 
add test certificate for Cura Aalborg Udd environment
@nigtrifork
Copy link
Collaborator

Hi @aonsystematic

This is a request for an additional client for the test environment, correct?

We are experiencing some issues with our deployment pipeline, but we will add this as soon as possible.

@nigtrifork nigtrifork self-assigned this May 11, 2022
@aonsystematic
Copy link
Author

yes this is so that Aalborg can test by themselves on one of their test environments.
The previous one I've uploaded was for testing during development

@nigtrifork
Copy link
Collaborator

Sure, the client_id will be cura_aalborg_udd

I will let you know when it is available

@nigtrifork
Copy link
Collaborator

Client is now available on the test environment

@nigtrifork nigtrifork closed this May 12, 2022
@aonsystematic
Copy link
Author

when using this, we get an error code 400, with response {"error":"invalid_client","error_description":"Unable to load public key"} from the gateway keycloak, can you double check that it has been added to the environment and that there is no typo in the client id

@nigtrifork
Copy link
Collaborator

@aonsystematic this is most likely caused by giving an invalid kid in the client JWT, when I calculate the kid for this public key I get -s-eGKNvqGfBPC8IoymCksjt5Sak1M-Sd-pl8dM9ptQ

@aonsystematic
Copy link
Author

aonsystematic commented May 23, 2022
edited
Loading

I just verified the request body, and the kid is the same as the one you have posted, so that is not the issue.
The request was sent on 14:00:05 on friday 20/5. Perhaps you have logging that is more descriptive?

EDIT: turns out there were some mix and matching, with client_ids, which I just found. However we know get an even less descriptive error:
{"error":"unknown_error"} with code 500
from a request at 10:02:04 today

@nigtrifork
Copy link
Collaborator

@aonsystematic I see The input bytes to the digest operation are null. This may be due to a problem with the Reference URI or its Transforms. in the logs. This most likely has something to do with the Assertion from Kombit

@aonsystematic
Copy link
Author

so is that an issue with our service agreement? It still works when we use our other client.

@nigtrifork
Copy link
Collaborator

That's hard to say. You can compare your assertion to this assertion (signature redacted), to see if something seems off:

<?xml version="1.0" encoding="UTF-8"?>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7df071e6-b49f-4a9f-a0a3-921cb90eec5e"
           IssueInstant="2022-05-23T08:06:15.361Z" Version="2.0">
    <Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
        https://saml.adgangsstyring.eksterntest-stoettesystemerne.dk
    </Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_7df071e6-b49f-4a9f-a0a3-921cb90eec5e">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>PlAQFv5vFM/F07diWiGGr1OgJB/G2iaHYj3R8B1Xsgs=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            REDACTED
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIGHTCCBQWgAwIBAgIEXgiTCTANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MR0wGwYDVQQDDBRUUlVTVDI0MDggT0NFUyBDQSBJVjAeFw0yMTA2MDgwNzA3MDNaFw0yNDA2MDgwNzA2MzVaMIGQMQswCQYDVQQGEwJESzEjMCEGA1UECgwaS09NQklUIEEvUyAvLyBDVlI6MTk0MzUwNzUxXDAgBgNVBAUTGUNWUjoxOTQzNTA3NS1GSUQ6NjA0OTI3ODgwOAYDVQQDDDF0ZXN0LWVrc3Rlcm4tYWRnYW5nc3N0eXJpbmcgKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnEbT2230TEC+ZnAgOWwAaBtoSjOszdaMBxcl1WCCfv8Rc5NFMp1FT68rexN9/k1GcTNWREPLSjEh9RUtQ5QHrEDUYDv3g/lL2YSKaVuY7YiqMn+Ei81tgKWO9N5P1UNdeLW0+5DjNSO++CC33B0AElXXVI9YhQFnSR6qTZsYPQnsD/J6FA41RMyizfk5MFmFurYn06nw9CkW3CtY5T3+FU4q55gIOiwSGplHm5emeFEyxMkXtQBaoRXpgOeSqJJ1r2GYkK3gk/1DGk/s2CKc1wPlhhU9vJOV0cNyyJ/wvUscWjjrgT5UgLX2OK3lZUiQ72W7DMgExOcKTxbvKjP+YwIDAQABo4ICzDCCAsgwDgYDVR0PAQH/BAQDAgO4MIGJBggrBgEFBQcBAQR9MHswNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwLmljYTA0LnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEIGCCsGAQUFBzAChjZodHRwOi8vZi5haWEuaWNhMDQudHJ1c3QyNDA4LmNvbS9vY2VzLWlzc3VpbmcwNC1jYS5jZXIwggFDBgNVHSAEggE6MIIBNjCCATIGCiqBUIEpAQEBBAMwggEiMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LnRydXN0MjQwOC5jb20vcmVwb3NpdG9yeTCB7gYIKwYBBQUHAgIwgeEwEBYJVFJVU1QyNDA4MAMCAQEagcxGb3IgYW52ZW5kZWxzZSBhZiBjZXJ0aWZpa2F0ZXQgZ+ZsZGVyIE9DRVMgdmlsa+VyLCBDUFMgb2cgT0NFUyBDUCwgZGVyIGthbiBoZW50ZXMgZnJhIHd3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkuIEJlbeZyaywgYXQgVFJVU1QyNDA4IGVmdGVyIHZpbGvlcmVuZSBoYXIgZXQgYmVncuZuc2V0IGFuc3ZhciBpZnQuIHByb2Zlc3Npb25lbGxlIHBhcnRlci4wgZcGA1UdHwSBjzCBjDAuoCygKoYoaHR0cDovL2NybC5pY2EwNC50cnVzdDI0MDguY29tL2ljYTA0LmNybDBaoFigVqRUMFIxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxHTAbBgNVBAMMFFRSVVNUMjQwOCBPQ0VTIENBIElWMRAwDgYDVQQDDAdDUkwzMDgzMB8GA1UdIwQYMBaAFFy7dWIWMpmqNqC4mvtvpwxf8ArVMB0GA1UdDgQWBBR2bXVUcWt5i4zO9J9kpBrq5fJufDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBQ015R55ZZ+83w+eR/CNfZx9ykOKHqf70bOpM9yu7UxG2teAAE+4xA8Zt/F/SPbtLbxAZLkSBevmX4oVVYtNn6C0HrS8V/Gt65rS7VxEI/vBttD0EOOvwxJPW61wM4f5EXY84XZPzL9UY3ErjhDvz3W6trxYNp5wS1V4x85SI8WCesNXjryMHphPakK252IOTXvuybGNjyVwQL3DGI9i/DcOxzIPi0CaBlBEVUTvggR9E7v4P/YpxvQyrerqtEfy8PIJ/a2lysCyoMeeg0TTq5A51BK25SlWzo0muyJ7tbKuRLkPfGtuSq8uGfBBVyouNl4/nH0QDoU9mHDP17gSZZ
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <Subject>
        <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
            SERIALNUMBER=CVR:20921897-FID:16356883 + CN=klg_demo_anvendersystem (funktionscertifikat), O=TRIFORK A/S //
            CVR:20921897, C=DK
        </NameID>
        <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
            <SubjectConfirmationData xmlns:a="http://www.w3.org/2001/XMLSchema-instance"
                                     NotBefore="2022-05-23T08:06:15.361Z" NotOnOrAfter="2022-05-23T16:06:15.361Z"
                                     Recipient="http://ehealth.sundhed.dk/service/CareGateway/1"
                                     a:type="KeyInfoConfirmationDataType">
                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <X509Data>
                        <X509Certificate>
                            MIIGJDCCBQygAwIBAgIEX6FtNzANBgkqhkiG9w0BAQsFADBJMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSYwJAYDVQQDDB1UUlVTVDI0MDggU3lzdGVtdGVzdCBYWFhJViBDQTAeFw0yMjAxMTgxMTMzMjhaFw0yNTAxMTgxMTMyNDNaMIGNMQswCQYDVQQGEwJESzEkMCIGA1UECgwbVFJJRk9SSyBBL1MgLy8gQ1ZSOjIwOTIxODk3MVgwIAYDVQQFExlDVlI6MjA5MjE4OTctRklEOjE2MzU2ODgzMDQGA1UEAwwta2xnX2RlbW9fYW52ZW5kZXJzeXN0ZW0gKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApigrkAudmmzfafoDlkWLgVVKykxJqVYnPSB0XyezfszKc6fEi8n3W0pYBj+jCeOiUDPAnw8B/IUvUNlL0WYxOlNKmyoQyDpMllibNNQJXwziG8EsyaCmrmaqgZEM8ai6NbPgKyJZ7w45oN4s25ud53ByR0P3caihr6I7O4kNd8H7ndnJaBSQ4xY1Pgq6zzrgLc0FpSKwCbpTGUic2R346vpfeu0MhnpNbCATvxlcxui/zsnS2MymcccPNgze/J3oKXBmlRYsquYhrxAz1AM6e/FmDiHWbCXj1T3XFZ5HlNjM3X1IEGv59pDrjw1XrjCRQpM0S+3ybP5dBzVbdLbCWwIDAQABo4ICzTCCAskwDgYDVR0PAQH/BAQDAgO4MIGXBggrBgEFBQcBAQSBijCBhzA8BggrBgEFBQcwAYYwaHR0cDovL29jc3Auc3lzdGVtdGVzdDM0LnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEcGCCsGAQUFBzAChjtodHRwOi8vZi5haWEuc3lzdGVtdGVzdDM0LnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDM0LWNhLmNlcjCCASAGA1UdIASCARcwggETMIIBDwYNKwYBBAGB9FECBAYEAzCB/TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkwgckGCCsGAQUFBwICMIG8MAwWBURhbklEMAMCAQEagatEYW5JRCB0ZXN0IGNlcnRpZmlrYXRlciBmcmEgZGVubmUgQ0EgdWRzdGVkZXMgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMy4gRGFuSUQgdGVzdCBjZXJ0aWZpY2F0ZXMgZnJvbSB0aGlzIENBIGFyZSBpc3N1ZWQgdW5kZXIgT0lEIDEuMy42LjEuNC4xLjMxMzEzLjIuNC42LjQuMy4wga0GA1UdHwSBpTCBojA8oDqgOIY2aHR0cDovL2NybC5zeXN0ZW10ZXN0MzQudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MzQuY3JsMGKgYKBepFwwWjELMAkGA1UEBhMCREsxEjAQBgNVBAoMCVRSVVNUMjQwODEmMCQGA1UEAwwdVFJVU1QyNDA4IFN5c3RlbXRlc3QgWFhYSVYgQ0ExDzANBgNVBAMMBkNSTDM3NDAfBgNVHSMEGDAWgBTNbGiXOXIZpDWrZOr0EaOBh/hpOzAdBgNVHQ4EFgQUeB4eWR1NqwJeJuWgdVoJEf9j+rEwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAYKhnkEHiVl0k7qnwsSjVUubllvvYUcG5bg6vTqwG3Yw+/sHLOUy11h9RBco67a9VBy11ZG0U1Rk9IQrTjq3qu9rQaUNieisvUVluuJ3KN/cvBwyAHO4UnayAwmdqGPUMFetyMUlo5uMPx/sjuJoXMkUXfWXk2HUwNaXjkqt5q6zm5I+xg+pnNYBvsndV/igh6zuiygCl68q3AL1Zt56F5hUxWW5W1nd5EvjcTPZ/O2zoX6vFPlaec4LjD9TmVZIU8z/JqFWHM0kM6adIRmXKO2VK4SlzL8joJ4GmevkwDJSD/Wctd8dxmOBf0Y1b2Zrd6OEEwXFsrFpFVGNvY4DfKQ==
                        </X509Certificate>
                    </X509Data>
                </KeyInfo>
            </SubjectConfirmationData>
        </SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2022-05-23T08:06:15.361Z" NotOnOrAfter="2022-05-23T16:06:15.361Z">
        <AudienceRestriction>
            <Audience>http://ehealth.sundhed.dk/service/CareGateway/1</Audience>
        </AudienceRestriction>
    </Conditions>
    <AttributeStatement>
        <Attribute Name="dk:gov:saml:attribute:CvrNumberIdentifier"
                   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <AttributeValue>29189366</AttributeValue>
        </Attribute>
        <Attribute Name="dk:gov:saml:attribute:AssuranceLevel"
                   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <AttributeValue>3</AttributeValue>
        </Attribute>
        <Attribute Name="dk:gov:saml:attribute:SpecVer" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <AttributeValue>DK-SAML-2.0</AttributeValue>
        </Attribute>
        <Attribute Name="dk:gov:saml:attribute:KombitSpecVer"
                   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <AttributeValue>1.0</AttributeValue>
        </Attribute>
        <Attribute Name="dk:gov:saml:attribute:Privileges_intermediate"
                   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <AttributeValue>
                PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48YnBwOlByaXZpbGVnZUxpc3QgeG1sbnM6YnBwPSJodHRwOi8vaXRzdC5kay9vaW9zYW1sL2Jhc2ljX3ByaXZpbGVnZV9wcm9maWxlIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48UHJpdmlsZWdlR3JvdXAgU2NvcGU9InVybjpkazpnb3Y6c2FtbDpjdnJOdW1iZXJJZGVudGlmaWVyOjI5MTg5MzY2Ij48UHJpdmlsZWdlPmh0dHA6Ly9laGVhbHRoLnN1bmRoZWQuZGsvcm9sZXMvc2VydmljZXN5c3RlbXJvbGUvY2FyZV9kZWxpdmVyeV9yZXBvcnRlcl9zeXN0ZW0vMTwvUHJpdmlsZWdlPjwvUHJpdmlsZWdlR3JvdXA+PC9icHA6UHJpdmlsZWdlTGlzdD4=
            </AttributeValue>
        </Attribute>
    </AttributeStatement>
    <AuthnStatement AuthnInstant="2022-05-23T08:06:15.361Z">
        <AuthnContext>
            <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</AuthnContextClassRef>
        </AuthnContext>
    </AuthnStatement>
</Assertion>

@aonsystematic
Copy link
Author

I cannot find any notable differences from our assertion, maybe there is something you can see that I cannot?

<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_cc63a2c7-86a2-4927-aa04-72f14e90dc3d" IssueInstant="2022-05-23T08:02:22.134Z" Version="2.0">
	<Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://saml.adgangsstyring.eksterntest-stoettesystemerne.dk</Issuer>
	<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
		<SignedInfo>
			<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
			<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
			<Reference URI="#_cc63a2c7-86a2-4927-aa04-72f14e90dc3d">
				<Transforms>
					<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
					<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				</Transforms>
				<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
				<DigestValue>fPRzcc/NMKNh3dPwTw++zcG18DZIeC+v684Eqz4hZLE=</DigestValue>
			</Reference>
		</SignedInfo>
		<SignatureValue>REDACTED</SignatureValue>
		<KeyInfo>
			<X509Data>
				<X509Certificate>MIIGHTCCBQWgAwIBAgIEXgiTCTANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MR0wGwYDVQQDDBRUUlVTVDI0MDggT0NFUyBDQSBJVjAeFw0yMTA2MDgwNzA3MDNaFw0yNDA2MDgwNzA2MzVaMIGQMQswCQYDVQQGEwJESzEjMCEGA1UECgwaS09NQklUIEEvUyAvLyBDVlI6MTk0MzUwNzUxXDAgBgNVBAUTGUNWUjoxOTQzNTA3NS1GSUQ6NjA0OTI3ODgwOAYDVQQDDDF0ZXN0LWVrc3Rlcm4tYWRnYW5nc3N0eXJpbmcgKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnEbT2230TEC+ZnAgOWwAaBtoSjOszdaMBxcl1WCCfv8Rc5NFMp1FT68rexN9/k1GcTNWREPLSjEh9RUtQ5QHrEDUYDv3g/lL2YSKaVuY7YiqMn+Ei81tgKWO9N5P1UNdeLW0+5DjNSO++CC33B0AElXXVI9YhQFnSR6qTZsYPQnsD/J6FA41RMyizfk5MFmFurYn06nw9CkW3CtY5T3+FU4q55gIOiwSGplHm5emeFEyxMkXtQBaoRXpgOeSqJJ1r2GYkK3gk/1DGk/s2CKc1wPlhhU9vJOV0cNyyJ/wvUscWjjrgT5UgLX2OK3lZUiQ72W7DMgExOcKTxbvKjP+YwIDAQABo4ICzDCCAsgwDgYDVR0PAQH/BAQDAgO4MIGJBggrBgEFBQcBAQR9MHswNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwLmljYTA0LnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEIGCCsGAQUFBzAChjZodHRwOi8vZi5haWEuaWNhMDQudHJ1c3QyNDA4LmNvbS9vY2VzLWlzc3VpbmcwNC1jYS5jZXIwggFDBgNVHSAEggE6MIIBNjCCATIGCiqBUIEpAQEBBAMwggEiMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LnRydXN0MjQwOC5jb20vcmVwb3NpdG9yeTCB7gYIKwYBBQUHAgIwgeEwEBYJVFJVU1QyNDA4MAMCAQEagcxGb3IgYW52ZW5kZWxzZSBhZiBjZXJ0aWZpa2F0ZXQgZ+ZsZGVyIE9DRVMgdmlsa+VyLCBDUFMgb2cgT0NFUyBDUCwgZGVyIGthbiBoZW50ZXMgZnJhIHd3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkuIEJlbeZyaywgYXQgVFJVU1QyNDA4IGVmdGVyIHZpbGvlcmVuZSBoYXIgZXQgYmVncuZuc2V0IGFuc3ZhciBpZnQuIHByb2Zlc3Npb25lbGxlIHBhcnRlci4wgZcGA1UdHwSBjzCBjDAuoCygKoYoaHR0cDovL2NybC5pY2EwNC50cnVzdDI0MDguY29tL2ljYTA0LmNybDBaoFigVqRUMFIxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxHTAbBgNVBAMMFFRSVVNUMjQwOCBPQ0VTIENBIElWMRAwDgYDVQQDDAdDUkwzMDgzMB8GA1UdIwQYMBaAFFy7dWIWMpmqNqC4mvtvpwxf8ArVMB0GA1UdDgQWBBR2bXVUcWt5i4zO9J9kpBrq5fJufDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBQ015R55ZZ+83w+eR/CNfZx9ykOKHqf70bOpM9yu7UxG2teAAE+4xA8Zt/F/SPbtLbxAZLkSBevmX4oVVYtNn6C0HrS8V/Gt65rS7VxEI/vBttD0EOOvwxJPW61wM4f5EXY84XZPzL9UY3ErjhDvz3W6trxYNp5wS1V4x85SI8WCesNXjryMHphPakK252IOTXvuybGNjyVwQL3DGI9i/DcOxzIPi0CaBlBEVUTvggR9E7v4P/YpxvQyrerqtEfy8PIJ/a2lysCyoMeeg0TTq5A51BK25SlWzo0muyJ7tbKuRLkPfGtuSq8uGfBBVyouNl4/nH0QDoU9mHDP17gSZZ</X509Certificate>
			</X509Data>
		</KeyInfo>
	</Signature>
	<Subject>
		<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">SERIALNUMBER=CVR:78834412-FID:93554192 + CN=Columna Cura Aalborg Uddannelse (funktionscertifikat), O=SYSTEMATIC A/S // CVR:78834412, C=DK</NameID>
		<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
			<SubjectConfirmationData xmlns:a="http://www.w3.org/2001/XMLSchema-instance" NotBefore="2022-05-23T08:02:22.134Z" NotOnOrAfter="2022-05-23T16:02:22.134Z" Recipient="http://ehealth.sundhed.dk/service/CareGateway/1" a:type="KeyInfoConfirmationDataType">
				<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
					<X509Data>
						<X509Certificate>MIIGJTCCBQ2gAwIBAgIEXl36YDANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MR0wGwYDVQQDDBRUUlVTVDI0MDggT0NFUyBDQSBJVjAeFw0yMjA1MDYwOTI4MDFaFw0yNTA1MDYwOTI3MDlaMIGYMQswCQYDVQQGEwJESzEnMCUGA1UECgweU1lTVEVNQVRJQyBBL1MgLy8gQ1ZSOjc4ODM0NDEyMWAwIAYDVQQFExlDVlI6Nzg4MzQ0MTItRklEOjkzNTU0MTkyMDwGA1UEAww1Q29sdW1uYSBDdXJhIEFhbGJvcmcgVWRkYW5uZWxzZSAoZnVua3Rpb25zY2VydGlmaWthdCkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCFuzhnWzMF74WPNIomwFTDmLq5gWwWT1XUHqYC5KYl5Ju7oJlgG8gZTYslWX4moZrQPL6G1sXI3o9xRQPlq8Sw7b2ettdUAQZcaMH6t1L4FpGA5hoy6IRsI1OZoaX9z29wRUfrpEXmMODuanwHnNyVVmx1fVQV9NkoqxdzXPdFv6vp3419yg1Zvwdcq5CDdXW3WVw5iWPb/6jznHpNI6+behvoZF6oeOMFIX8pAOYeMltpQrTdY1EDyIle50MWlyhsItYFO3Ja6NSVwB8jbgnUaFm6Ix/ANC+NqXdypZ1CWVsFvTqYQvKIrEQdtQshD4fHfpsnLzo2+1B+r6VQAgeZAgMBAAGjggLMMIICyDAOBgNVHQ8BAf8EBAMCA7gwgYkGCCsGAQUFBwEBBH0wezA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AuaWNhMDQudHJ1c3QyNDA4LmNvbS9yZXNwb25kZXIwQgYIKwYBBQUHMAKGNmh0dHA6Ly9mLmFpYS5pY2EwNC50cnVzdDI0MDguY29tL29jZXMtaXNzdWluZzA0LWNhLmNlcjCCAUMGA1UdIASCATowggE2MIIBMgYKKoFQgSkBAQEEAzCCASIwLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cudHJ1c3QyNDA4LmNvbS9yZXBvc2l0b3J5MIHuBggrBgEFBQcCAjCB4TAQFglUUlVTVDI0MDgwAwIBARqBzEZvciBhbnZlbmRlbHNlIGFmIGNlcnRpZmlrYXRldCBn5mxkZXIgT0NFUyB2aWxr5XIsIENQUyBvZyBPQ0VTIENQLCBkZXIga2FuIGhlbnRlcyBmcmEgd3d3LnRydXN0MjQwOC5jb20vcmVwb3NpdG9yeS4gQmVt5nJrLCBhdCBUUlVTVDI0MDggZWZ0ZXIgdmlsa+VyZW5lIGhhciBldCBiZWdy5m5zZXQgYW5zdmFyIGlmdC4gcHJvZmVzc2lvbmVsbGUgcGFydGVyLjCBlwYDVR0fBIGPMIGMMC6gLKAqhihodHRwOi8vY3JsLmljYTA0LnRydXN0MjQwOC5jb20vaWNhMDQuY3JsMFqgWKBWpFQwUjELMAkGA1UEBhMCREsxEjAQBgNVBAoMCVRSVVNUMjQwODEdMBsGA1UEAwwUVFJVU1QyNDA4IE9DRVMgQ0EgSVYxEDAOBgNVBAMMB0NSTDY4MDIwHwYDVR0jBBgwFoAUXLt1YhYymao2oLia+2+nDF/wCtUwHQYDVR0OBBYEFBTtUctEIgLEIaYeP5dwe4tt4AP1MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAK3FNLf0N4V53L2gaULh4a2pGaEIMgFzTPPZampcgRh/8tawh8pg0n8E/7I9TL1TBnNsy1SxtqjVLSaLo32eqd0nG/msVoOsCWSQnplbdg8n9pXrxsLpgD2pChQ4e7fDf63VU6nAny2is/Xpag3o9WN77qVf8Le9MqqT2e4GwlyG3Pn3vLVDfe3BccasazPSaOOOaWN7ZIuuNSx0gViwShwFtT73CrMSdIg1oWJsFhZ9o6Tuh514GmWDSrfd/7qI4mK1BML4+hgopXquqifTjr9jbb6c8LtP1veHCXOaEZ01cRyyoChzU2Q3CYEKcG+5qpuXOpXTP8dcGXB4M2QKHaI=</X509Certificate>
					</X509Data>
				</KeyInfo>
			</SubjectConfirmationData>
		</SubjectConfirmation>
	</Subject>
	<Conditions NotBefore="2022-05-23T08:02:22.134Z" NotOnOrAfter="2022-05-23T16:02:22.134Z">
		<AudienceRestriction>
			<Audience>http://ehealth.sundhed.dk/service/CareGateway/1</Audience>
		</AudienceRestriction>
	</Conditions>
	<AttributeStatement>
		<Attribute Name="dk:gov:saml:attribute:CvrNumberIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
			<AttributeValue>29189420</AttributeValue>
		</Attribute>
		<Attribute Name="dk:gov:saml:attribute:AssuranceLevel" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
			<AttributeValue>3</AttributeValue>
		</Attribute>
		<Attribute Name="dk:gov:saml:attribute:SpecVer" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
			<AttributeValue>DK-SAML-2.0</AttributeValue>
		</Attribute>
		<Attribute Name="dk:gov:saml:attribute:KombitSpecVer" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
			<AttributeValue>1.0</AttributeValue>
		</Attribute>
		<Attribute Name="dk:gov:saml:attribute:Privileges_intermediate" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
			<AttributeValue>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48YnBwOlByaXZpbGVnZUxpc3QgeG1sbnM6YnBwPSJodHRwOi8vaXRzdC5kay9vaW9zYW1sL2Jhc2ljX3ByaXZpbGVnZV9wcm9maWxlIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48UHJpdmlsZWdlR3JvdXAgU2NvcGU9InVybjpkazpnb3Y6c2FtbDpjdnJOdW1iZXJJZGVudGlmaWVyOjI5MTg5NDIwIj48UHJpdmlsZWdlPmh0dHA6Ly9laGVhbHRoLnN1bmRoZWQuZGsvcm9sZXMvc2VydmljZXN5c3RlbXJvbGUvY2FyZV9kZWxpdmVyeV9yZXBvcnRlcl9zeXN0ZW0vMTwvUHJpdmlsZWdlPjwvUHJpdmlsZWdlR3JvdXA+PC9icHA6UHJpdmlsZWdlTGlzdD4=</AttributeValue>
		</Attribute>
	</AttributeStatement>
	<AuthnStatement AuthnInstant="2022-05-23T08:02:22.134Z">
		<AuthnContext>
			<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</AuthnContextClassRef>
		</AuthnContext>
	</AuthnStatement>
</Assertion>

@nigtrifork
Copy link
Collaborator

@aonsystematic it also looks good to me. I would suggest going through each parameter in the token request to double check that everything is correct, that is:

  • client_id
  • client_assertion_type
  • client_assertion
  • grant_type
  • subject_issuer
  • subject_token_type
  • subject_token

@aonsystematic
Copy link
Author

aonsystematic commented May 23, 2022
edited
Loading

I'm unable to see any issues there either. Here it is:

  • client_id: cura_aalborg_udd
  • client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
  • client_assertion: eyJraWQiOiItcy1lR0tOdnFHZkJQQzhJb3ltQ2tzanQ1U2FrMU0tU2QtcGw4ZE05cHRRIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJjdXJhX2FhbGJvcmdfdWRkIiwiYXVkIjoiaHR0cHM6Ly9zYW1sLnRlc3QwMDEuZWhlYWx0aC5zdW5kaGVkLmRrL2F1dGgvcmVhbG1zL2VoZWFsdGgiLCJuYmYiOjE2NTMzMDQ5ODMsImlzcyI6ImN1cmFfYWFsYm9yZ191ZGQiLCJleHAiOjE2NTMzMDUyODMsImlhdCI6MTY1MzMwNDk4MywianRpIjoiNjE4MDUzY2QtZDVlNi00YzU1LWExM2EtNjJlODBjZTY2MzJkIn0.PkNsAZ93l5hQ_Y5i2KzOrWVdYDR8YGWQc5luE6GwJF1cv0mXZVvP6W0Wv4JKiJrn3BYTkaFtKdy6DY221qww0esSSBIZCvg352wiP_rltbcjKglUUGL-zL9trJuARsK_ow3DJbGX3P7BkXyCEqs-EMliTv2m1Mvv5fejfoS76KPpGkPmj_Q4eiVWjOs6AxYDOaIfGozrksFU4AM_JlkNVgu8eRWcMhdYEUb4xmL2XiH4dog8yegFMMMUrh7MniimCxSW90-XcINGDkDTEFrEW72ue4b_zWc1wJutxZOjFjJrjcfGf52zpsJ0ltRQtZ_gqfxsQG6X_V4Wy6qxK_1G8g
  • subject_issuer: kombit-sts
  • subject_token_type: urn:ietf:params:oauth:token-type:saml2
  • subject_token: base64 url encoded string from previous post
  • grant_type: urn:ietf:params:oauth:grant-type:token-exchange

EDIT: I looked into the The input bytes to the digest operation are null. This may be due to a problem with the Reference URI or its Transforms. seems to be a warning rather than an actual error. Is the exception caught by the server and not logged perhaps?

@nigtrifork
Copy link
Collaborator

@aonsystematic yes maybe that warning is a false flag. I have been able to reproduce the error by omitting the client id from the request, but we have already checked the request. I'm assuming that you are using the same implementation for both clients?

@aonsystematic aonsystematic mentioned this pull request May 24, 2022
Closed
@aonsystematic
Copy link
Author

I've been asked to move this discussion to an issue instead of the pull request, so here it is:#38

I also mention it there, but the implementation is infact the same, for both clients

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@nigtrifork nigtrifork

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aonsystematic @nigtrifork