OpenIG 4.0:JWT signature does not match locally computed signature

This topic contains 2 replies, has 2 voices, and was last updated by  srinath.m 7 months, 2 weeks ago.

  • Author
    Posts
  • #22422
     srinath.m 
    Participant

    Hi All,

    Iam getting below exception in OpenIG custom java filter code.
    I have set the sharedSecret in properties file which is loading dynamically.
    encodedJwt = This is getting from OpenAM after login as a user.
    encodingFormat = UTF-8

    
    encodedJwtArray = statelessSessionToken.split(Pattern.quote(MineConstants.ASTERISK));
    encodedJwt = encodedJwtArray[2];
    Claims claims = Jwts.parser().setSigningKey(sharedSecret.getBytes(encodingFormat)).parseClaimsJws(encodedJwt);

    Error :
    io.jsonwebtoken.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.
    at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:342)
    at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:458)
    at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:518)
    at OpenIGFiltersMine.customOpenIGFiltersMine.MineUtils.verifyJWTSignatureAndGetJSONString(MineUtils.java:116)
    at OpenIGFiltersMine.customOpenIGFiltersMine.SampleFilter.processSSOToken(SampleFilter.java:135)
    at OpenIGFiltersMine.customOpenIGFiltersMine.SampleFilter.filter(SampleFilter.java:74)
    at org.forgerock.http.handler.Chain.handle(Chain.java:55)
    at org.forgerock.openig.filter.Chain.handle(Chain.java:69)
    at org.forgerock.openig.handler.DispatchHandler.handle(DispatchHandler.java:97)
    at org.forgerock.http.handler.Chain.handle(Chain.java:57)
    at org.forgerock.openig.handler.router.NullResponseFilter.filter(NullResponseFilter.java:49)
    at org.forgerock.http.handler.Chain.handle(Chain.java:55)
    at org.forgerock.openig.filter.RuntimeExceptionFilter.filter(RuntimeExceptionFilter.java:44)
    at org.forgerock.http.handler.Chain.handle(Chain.java:55)
    at org.forgerock.openig.handler.router.Route.handle(Route.java:138)
    at org.forgerock.openig.handler.router.RouterHandler.handle(RouterHandler.java:283)
    at org.forgerock.openig.audit.decoration.AuditHandler.handle(AuditHandler.java:49)
    at org.forgerock.openig.decoration.capture.CaptureHandler.handle(CaptureHandler.java:63)
    at org.forgerock.http.handler.Chain.handle(Chain.java:57)
    at org.forgerock.http.routing.Router.handle(Router.java:92)
    at org.forgerock.http.handler.Chain.handle(Chain.java:57)
    at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:60)
    at org.forgerock.http.handler.Chain.handle(Chain.java:55)
    at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:222)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Unknown Source)

    OpenIG version = 4.0

    Any help on this would be appreciated.
    Thanks,
    Srinath

    • This topic was modified 7 months, 3 weeks ago by  srinath.m.
    #22424
     violette 
    Participant

    Hi srinath.m,

    I understand that you get the signed-JWT from AM (stateless) but without knowing your AM configuration and without seeing the JWT it is not easy to help you.
    What I could suggest is to verify your AM configuration (which version?) and double checked that you have provided the same key when you had configured your stateless sessions as the one you are using for verifying the signature.
    https://backstage.forgerock.com/docs/am/6/authentication-guide/#session-state-configure-jwt-signature

    About the JWT, they are usually separated by dot (.) and not asterisks (*) and their format is just header.claims.signature (for a JWS). For extracting the data from the JWT, you could do a simple .split("\\."); then signature is the last part of the JWT.

    #22429
     srinath.m 
    Participant

    Thanks @violette for pointing me in the right direction. Iam using OpenAM 13 version. I have given wrong JWT sharedSecret in the properties file. After correcting this it works fine. Thanks again.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?