OpenId Connect 0Auth2 Provider missing Token Signing RSA Public/Private Key Pair

This topic contains 10 replies, has 2 voices, and was last updated by  dhruvb 2 months, 2 weeks ago.

  • Author
    Posts
  • #25381
     dhruvb 
    Participant

    I am unable to use specific certificate to sign the JWT token when using RS256 alg.

    I can see option to set the “Token Signing RSA Public/Private Key Pair” on ver 6.0 which I can change and works fine but not on version 6.5.0 there is no option on Services -> OAuth2 Provider -> Advanced

    The only option I can see is around configure/secretStores/KeyStoreSecretStore/edit/default-keystore

    However when I set am.services.oauth2.oidc.signing.RSA
    value from rsajwtsigningkey alias to myOwnCertificateAlias

    authentication returns 500 internal server error

    #25386
     Peter Major 
    Moderator

    What errors are you getting? Did you want to change the stateless OAuth2 token, the id_token or the remote consent agent signing key, or all of them at the same time?

    #25387
     dhruvb 
    Participant

    I want the id_token signed with specific certificate

    #25388
     dhruvb 
    Participant

    I want the id_token signed with specific certificate instead of rsajwtsigningkey alias

    #25390
     dhruvb 
    Participant

    Hello Peter Marjor,

    Here is the error log
    OAuth2Provider:04/04/2019 04:16:41:427 AM EDT: Thread[https-jsse-nio-443-exec-1,5,main]: TransactionId[0fd22ea3-5a83-4b9a-af72-9261a75b72d9-15533]
    ERROR: OpenAMClientRegistration: unable to load client public key(s)
    org.forgerock.json.jose.exceptions.FailedToLoadJWKException: Unable to load keys from the JWK over HTTP
    at org.forgerock.json.jose.jwk.store.JwksStore.<init>(JwksStore.java:101)
    at org.forgerock.json.jose.jwk.store.JwksStoreService.configureJwksStore(JwksStoreService.java:108)
    at org.forgerock.json.jose.jwk.store.JwksStoreService.configureJwksStore(JwksStoreService.java:84)
    at org.forgerock.openam.oauth2.OpenAMClientRegistration.getJwksStore(OpenAMClientRegistration.java:663)
    at org.forgerock.openam.oauth2.OpenAMClientRegistration.getPublicKeyStore(OpenAMClientRegistration.java:1043)
    at org.forgerock.openam.oauth2.OpenAMClientRegistration.getSecretsProvider(OpenAMClientRegistration.java:1061)
    at org.forgerock.openam.oauth2.OpenAMClientRegistration.createJws(OpenAMClientRegistration.java:999)
    at org.forgerock.openam.oauth2.OpenAMClientRegistration.createIDTokenJwt(OpenAMClientRegistration.java:916)
    at org.forgerock.openidconnect.OpenIdConnectToken.createJwt(OpenIdConnectToken.java:398)
    at org.forgerock.openidconnect.OpenIdConnectToken.<init>(OpenIdConnectToken.java:116)
    at org.forgerock.openam.oauth2.token.OpenIdConnectTokenStore.createOpenIDToken(OpenIdConnectTokenStore.java:186)
    at org.forgerock.openidconnect.IdTokenResponseTypeHandler.handle(IdTokenResponseTypeHandler.java:58)
    at org.forgerock.oauth2.core.AuthorizationTokenIssuer.issueTokens(AuthorizationTokenIssuer.java:120)
    at org.forgerock.oauth2.core.AuthorizationService.handlePostRequest(AuthorizationService.java:420)
    at org.forgerock.oauth2.restlet.AuthorizeResource.authorize(AuthorizeResource.java:190)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.restlet.resource.ServerResource.doHandle(ServerResource.java:508)
    at org.restlet.resource.ServerResource.post(ServerResource.java:1341)
    at org.restlet.resource.ServerResource.doHandle(ServerResource.java:606)
    at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:662)
    at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:348)
    at org.restlet.resource.ServerResource.handle(ServerResource.java:1020)
    at org.restlet.resource.Finder.handle(Finder.java:236)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.routing.Router.doHandle(Router.java:422)
    at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:94)
    at org.restlet.routing.Router.handle(Router.java:641)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
    at org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:77)
    at org.restlet.Application.handle(Application.java:385)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.routing.Router.doHandle(Router.java:422)
    at org.restlet.routing.Router.handle(Router.java:641)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.routing.Router.doHandle(Router.java:422)
    at org.restlet.routing.Router.handle(Router.java:641)
    at org.restlet.routing.Filter.doHandle(Filter.java:150)
    at org.restlet.routing.Filter.handle(Filter.java:197)
    at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
    at org.restlet.Component.handle(Component.java:408)
    at org.restlet.Server.handle(Server.java:507)
    at org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63)
    at org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143)
    at org.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:1117)
    at org.forgerock.openam.rest.RestEndpointServlet$RestletHandler.handle(RestEndpointServlet.java:183)
    at org.forgerock.http.handler.Handlers$UndescribedAsDescribableHandler.handle(Handlers.java:179)
    at org.forgerock.openam.dpro.session.ProofOfPossessionTokenFilter.filter(ProofOfPossessionTokenFilter.java:87)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
    at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:86)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
    at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:252)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    at org.forgerock.openam.rest.RestEndpointServlet$HttpServletWrapper.service(RestEndpointServlet.java:254)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    at org.forgerock.openam.rest.RestEndpointServlet.service(RestEndpointServlet.java:132)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.forgerock.openam.validation.FQDNValidationFilter.doFilter(FQDNValidationFilter.java:55)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:115)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Unknown Source)
    Caused by: org.forgerock.json.jose.exceptions.FailedToLoadJWKException: Unable to load the JWK location over HTTP
    at org.forgerock.json.jose.jwk.JWKSetParser.gatherHttpContents(JWKSetParser.java:84)
    at org.forgerock.json.jose.jwk.JWKSetParser.jwkSet(JWKSetParser.java:96)
    at org.forgerock.json.jose.jwk.store.JwksStore.reloadJwks(JwksStore.java:111)
    at org.forgerock.json.jose.jwk.store.JwksStore.<init>(JwksStore.java:98)
    … 111 more
    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
    at org.forgerock.util.SimpleHTTPClient.get(SimpleHTTPClient.java:88)
    at org.forgerock.json.jose.jwk.JWKSetParser.gatherHttpContents(JWKSetParser.java:82)
    … 114 more
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
    at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
    at sun.security.validator.Validator.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
    … 129 more
    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
    at java.security.cert.CertPathBuilder.build(Unknown Source)

    #25391
     Peter Major 
    Moderator

    Looks like you have configured a jwks_uri for the client that AM cannot access due to SSL certificate validation errors. Try to fix that first.

    #25392
     dhruvb 
    Participant

    I have changed the “Public key selector” to x509 instead of JWKs_URI but still the same error if that’s what you mean’t ?

    Also how should I fix “AM cannot access due to SSL certificate validation errors” ?

    #25393
     dhruvb 
    Participant

    Hello,

    I am really stuck with this issue of not being able to sign the id_token with our own SSL certificate in the keystore i can clearly see the certificate and entry type is “privatekeyentry” and “certificate chain length :2”

    For saml assertion it is correctly signing with my ssl certificate so I thought it can access the keystore and certificate is valid.

    Don’t know how to configure signing certificate for id_token in oauth2 provider and OIDC client.

    Also how should I fix “AM cannot access due to SSL certificate validation errors” ?

    #25394
     Peter Major 
    Moderator

    If your OAuth2 client is indeed configured to use X509 public key selector, you should be getting a different stacktrace in the debug logs.

    #25395
     dhruvb 
    Participant

    I am getting this

    org.forgerock.secrets.keystore.KeyStoreSecretStore:04/04/2019 08:54:10:304 AM EDT: Thread[https-jsse-nio-443-exec-10,5,main]: TransactionId[0fd22ea3-5a83-4b9a-af72-9261a75b72d9-118471]
    ERROR: Unable to read secret/private key tor-engqa-opn2-tomcat.aaqa.net
    java.security.UnrecoverableKeyException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

    #25396
     dhruvb 
    Participant

    Yes It is resolved the certificate had some restriction on itself when I try with a different certificate it works fine.

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?