Hi everyone I'm currently using CAS version 6.3.2, I added the support for the Open ID connect protocol which is based on the OAUTH2 protocol. With the following configuration I'm able to generate a JWT access token and a refresh token. My goal is to sign these tokens, encryption is not needed. So far so good, now from the ressource server I would like to check the signature of these tokens. When the Open ID connect protocol is active there is a endpoint on /oidc/jwks which allow everybody to retrieve publics KEY (by default there is one and it's a RSA key) to do exactly that. My problem is that when I parse the JWT token generated by the cas the algorithm used (extracted form the header section of the JWT token) is not RSA :
The parsed JWT indicates it was signed with the HS512 signature algorithm, but the specified signing key of type com.android.org.conscrypt.OpenSSLRSAPublicKey may not be used to validate HS512 signatures. Because the specified signing key reflects a specific and expected algorithm, and the JWT does not reflect this algorithm, it is likely that the JWT was not expected and therefore should not be trusted. Another possibility is that the parser was configured with the incorrect signing key, but this cannot be assumed for security reasons. I tried to add the following configuration in my properties file to change that cas.authn.oauth.access-token.crypto.alg=RSA (tried with RS512 too) and here is the whole section regarding crypto cas.authn.oauth.access-token.crypto.signing.key=... cas.authn.oauth.access-token.create-as-jwt=true cas.authn.oauth.access-token.crypto.encryption-enabled=false cas.authn.oauth.access-token.crypto.signing-enabled=true cas.authn.oauth.access-token.crypto.alg=RSA There is a section (https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties-Common.html#signing--encryption) regarding RSA keys in the common properties to generate a private / public key, but I don't know how to configure the cas to use the public one (private on can be configured via the cas.authn.oauth.access-token.crypto.signing.key) for oidc. Here is my service.json { "@class" : "org.apereo.cas.services.OidcRegisteredService", "serviceId" : "...", "clientId" : "...", "name" : "...", "id" : 10000006, "evaluationOrder" : 1, "scopes" : [ "java.util.HashSet", ["email"]], "bypassApprovalPrompt": true, "generateRefreshToken": true, "jwtAccessToken": true, "properties" : { "@class" : "java.util.HashMap", "accessTokenAsJwtSigningKey" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty", "values" : [ "java.util.HashSet", [ "..." ] ] }, "accessTokenAsJwtSigningEnabled" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty", "values" : [ "java.util.HashSet", [ "true" ] ] }, "accessTokenAsJwtEncryptionEnabled" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty", "values" : [ "java.util.HashSet", [ "false" ] ] } } } Another strange behaviour is that to make jwt token generation works it seems that some global properties are not sufficient cas.authn.oauth.access-token.crypto.signing.key=... cas.authn.oauth.access-token.create-as-jwt=true cas.authn.oauth.access-token.crypto.encryption-enabled=false cas.authn.oauth.access-token.crypto.signing-enabled=true and we need the properties in the service to make it work without the accessTokenAsJwtSigningKey I have an error (why since there is already a key configured in properties ?!) org.jose4j.lang.InvalidAlgorithmException: Signature algorithm header (alg) not set. at org.jose4j.jws.JsonWebSignature.getAlgorithm(JsonWebSignature.java:245) ~[jose4j-0.7.2.jar!/:?] at org.jose4j.jws.JsonWebSignature.getAlgorithm(JsonWebSignature.java:231) ~[jose4j-0.7.2.jar!/:?] at org.jose4j.jws.JsonWebSignature.sign(JsonWebSignature.java:181) ~[jose4j-0.7.2.jar!/:?] at org.jose4j.jws.JsonWebSignature.getCompactSerialization(JsonWebSignature.java:140) ~[jose4j-0.7.2.jar!/:?] at org.apereo.cas.util.EncodingUtils.signJws(EncodingUtils.java:471) ~[cas-server-core-util-api-6.3.2.jar!/:6.3.2] at org.apereo.cas.util.cipher.AbstractCipherExecutor.signWith(AbstractCipherExecutor.java:113) ~[cas-server-core-util-api-6.3.2.jar!/:6.3.2] at org.apereo.cas.oidc.token.OidcRegisteredServiceJwtAccessTokenCipherExecutor$1.sign(OidcRegisteredServiceJwtAccessTokenCipherExecutor.java:140) ~[cas-server-support-oidc-core-api-6.3.2.jar!/:6.3.2] "properties" : { "@class" : "java.util.HashMap", "accessTokenAsJwtSigningKey" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty", "values" : [ "java.util.HashSet", [ "..." ] ] }, "accessTokenAsJwtSigningEnabled" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty", "values" : [ "java.util.HashSet", [ "true" ] ] }, "accessTokenAsJwtEncryptionEnabled" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty", "values" : [ "java.util.HashSet", [ "false" ] ] } } Maybe I need to use the jwk property : Optional. Resource path to the keystore location that holds the keys for this application described in https://apereo.github.io/cas/6.3.x/installation/OIDC-Authentication.html But I dont know why I would need it... I tried many things, reading the source code but I'm hard stuck for 2 days on the matter, if somebody could help me that would be great Thanks Simon -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a8bd95f-0b81-4b0a-8334-87b19a03102en%40apereo.org.
