This topic has 7 replies, 4 voices, and was last updated 3 years, 2 months ago by pkesar15.
-
AuthorPosts
-
October 24, 2017 at 12:12 pm #19265
pkesar15
ParticipantHi,
I am encrypting the id_token using a base64 encoded X509 cert and getting signature verification failed for encrypted JWTs.
Steps to reproduce:
1. Create a realm, OIDC conf in realm, agent and get an id_token (Signed by OpenAM, by default)
2. Verify the JWT (id_token) signature using corresponding public key of OpenAM- works!
3. Encrypt the JWT by updating agent configuration:
a. Check Enable ID Token Encryption
b. Add a base64 encoded public key to Client ID Token Public Encryption Key (Public key generated as per steps in https://backstage.forgerock.com/docs/openam/13.5/admin-guide/#configure-oidc-encryption)
4. Get an id_token and try to verify using public key in step 2- fails!
I am using OpenAM 13.5. Any ideas will be helpful, thanksCheers,
PriyaOctober 24, 2017 at 12:27 pm #19266Neil Madden
ParticipantIf you enable both signing and encryption then the ID token will first be signed and then encrypted (as per the OIDC spec). Therefore you will need to decrypt it using your private key before you can verify the signature.
October 25, 2017 at 6:06 pm #19299pkesar15
ParticipantHi Neil,
Thanks for your response and apologies for delay in follow up.
As I understand, the JWT has three parts: header, payload and signature. When we encrypt the JWT, effectively the payload is encrypted. As I can see the payload, without decrypting, in clear text (using jwt.io to decode JWT)
So, two questions:
1. When you say decrypt and verify signature, you mean, I need to decrypt all three parts of JWT?
2. Is there any public piece of code or online tool you are aware of, which I can use for decryption?
Many thanks.
Cheers,
PriyaOctober 26, 2017 at 11:30 am #19332pkesar15
ParticipantCorrection to above statement:
As I can see the header (not payload), without decrypting, in clear text (using jwt.io to decode JWT)Also, I am trying to explore the how alternatively OpenAM can pick public key of client for encryption. As per OIDC spec, the public key can be picked from: X.509 Cert, JWK, JWK_URI
I could only find a way to use X.509 cert. Does OpenAM supports JWK and JWK_URI as well (It does to publish its own public keys for signing) for encryption?Cheers,
PriyaOctober 26, 2017 at 4:21 pm #19340Scott Heger
ParticipantIn an encrypted JWT the header is base64 encoded and the payload and signature are encrypted. The client uses the base64 decoded header information to know that what follows is encrypted and with what method and algorithm:
{ "typ": "JWT", "kid": "GkSBl5DAe0JppgudqH3OdZnUWb4=", "cty": "JWT", "enc": "A128CBC-HS256", "alg": "RSA1_5" }
In this example the encryption method is “A128CBC-HS256” and the encryption algorithm is “RSA1_5”. That will match what you have set in your client profile.
After base64 decoding the header the client would then decrypt the payload and signature and then verify the signature as Neil mentioned. I’m unaware of any online tools to test the decrypting of an encrypted JWT. If you find one, please share.
October 27, 2017 at 10:34 am #19351Andy Cory
Participant@shegergmail-com, closest I’ve found was http://kjur.github.io/jsjws/tool_verifyanalyze.html, but I’ve never had a need to actually try it out, but it looked promising. There are various Java and/or JS libraries from which a competent developer (i.e. someone who is not me) could probably knock something up in less time than it took me to write this.
-Andy
October 27, 2017 at 4:37 pm #19360Scott Heger
ParticipantThanks @acorysmart421-com. I’ll check that out.
October 31, 2017 at 5:55 pm #19412pkesar15
ParticipantThanks for response Andy and Scott.
I checked out the tool, its works like jwt.io. It works well for decoding the JWT and verify signature using public keys. What I am looking for is, to decrypt the JWT and then verify the signature. We are trying to build that decryption logic at relying party.
Also, I am still struggling to find if OpenAM can do JWT encryption by taking RP’s public key from a JWK_URI. As of now, I could get encrypted JWT if I pasted the RP’s public key in client profile under ‘Client ID Token Public Encryption Key’
Let me know if you are aware of alternatives. Thanks. -
AuthorPosts
You must be logged in to reply to this topic.