Problem get JWT Session to Work

This topic contains 8 replies, has 4 voices, and was last updated by  waynem 3 months, 1 week ago.

  • Author
    Posts
  • #25010
     reeprice 
    Participant

    I am trying to configure a JWT session in my route and I am not having any success. I hope someone can point me in the right direction.

    My config file is setup as

    
    {
      "handler": {
        "type": "Router",
        "name": "_router",
        "capture": "all"
      },
      "heap": [
       {
          "name": "JwtSession",
          "type": "JwtSession"
       },
       {
          "name": "capture",
          "type": "CaptureDecorator",
          "config": {
            "captureEntity": true,
            "_captureContext": true
          }
        },
        {
          "name": "AmService-1",
          "type": "AmService",
          "config": {
             "url": "http://ip-XXX-XX-XX-XX.us-gov-west-1.compute.internal:8080/sso",
             "realm": "/mgmw",
             "ssoTokenHeader": "iPlanetDirectoryPro",
             "version": "6.0",
             "agent": {
                "username": "mgmw",
                "password": "password"
             },
            "sessionCache": {
                "enabled": true
             }
          }
        }
      ]
    }
    

    My route is currently setup as

    
    {
    "name": "pep-cdsso",
    "heap": [
            {
          "name": "AmService-1",
          "type": "AmService",
          "config": {
             "url": "http://ip-XXX-XX-XX-XX.us-gov-west-1.compute.internal:8080/sso",
             "realm": "/",
             "ssoTokenHeader": "iPlanetDirectoryPro",
             "version": "6.0",
             "agent": {
                "username": "ig_agent",
                "password": "password"
             },
            "sessionCache": {
                "enabled": false
             }
              }
            }
    ],
    "secrets": {
            "stores": [
                    {
                            "name": "KeyStoreSecretStore",
                            "type": "KeyStoreSecretStore",
                            "config": {
                                    "file": "/home/jetty/.openig/secrets/jwtsessionkeystore.pkcs12",
                                    "storetype": "PKS12",
                                    "storePassword": "keystore.secret.id",
                                    "mappings": [
                                            {
                                                    "secretId": "jwtsession.encryption.secret.id",
                                                    "aliases": [ "jwe-key" ]
                                            }
                                    ]
                            }
                    }
            ]
    },
    "session": {
            "type": "JwtSession",
            "config": {
                    "encryptionSecretId": "jwtsession.encryption.secret.id",
                    "cookieName": "am-auth-jwt",
                    "cookieDomain": ".us-gov-west-1.compute.internal"
                    "signatureSecretId": "jwtsession.signature.secret.id"
            }
    },
    "handler": {
            "type": "DispatchHandler",
            "config": {
                "bindings": [
                    {
                        "handler": {
                        "type": "Chain",
    						"config": {
    							"filters": [
    								{
    									"name": "CrossDomainSingleSignOnFilter-1",
    									"type": "CrossDomainSingleSignOnFilter",
    									"config": {
    										"redirectEndpoint": "/home/pep-cdsso/redirect",
    										"authCookie": {
    											"path": "/",
    											"name": "iPlanetDirectoryPro"
    										},
    										"amService": "AmService-1"
    									}
    								},
    								{
    									"name": "PolicyEnforcementFilter-1",
    									"type": "PolicyEnforcementFilter",
    									"config": {
    										"pepRealm": "/",
    										"application": "PEP-CDSSO",
    										"ssoTokenSubject": "${contexts.cdsso.token}",
    										"amService": "AmService-1"
    									}
    								},
    								{
    									"name": "HeaderFilter-InjectUserAttributes-1",
    									"type": "HeaderFilter",
    									"config": {
    										"messageType": "REQUEST",
    										"add": {
    											"email": [
    												"${contexts.policyDecision.attributes.mail[0]}"
    											],
    											"uid": [
    												"${contexts.policyDecision.attributes.uid[0]}"
    											],
    											"last": [
    												"${contexts.policyDecision.attributes.sn[0]}"
    											]
    										}
    									}
    								}
    							],
    							"handler": "ClientHandler"
    						}
    					},
    					"baseURI": "http://ip-XXX-XX-XX-XX.us-gov-west-1.compute.internal:8081"
    				}
    			]
    		}
        },
        "condition": "${matches(request.uri.path, '^/home/pep-cdsso' )}"
    }
    

    Now I don’t expect my JWT cookie to have any values, but I do expect it to at least show up on sample app landing page. I can run an echo $KEYSTORE__SECRET_ID and $JWTSESSION_SIGNATURE_SECRET_ID and it returns the correct base64 value so I don’t think that is wrong. I created a secrets directory, but I am sure if that is correct method or location. When I created my keystore I use the following code

    
    keytool \
    -genkey \
    -alias jwe-key \
    -keyalg rsa \
    -keystore /home/jetty/.openig/secrets/jwtsessionkeystore.pkcs12 \
    -storepass password \
    -keypass password \
    -dname "CN=ip-XXX-XX-XX-XX.us-gov-west-1.compute.internal,O=Example Corp"
    

    I am just hoping that someone can provide some insight into what I am doing wrong.

    #25013
     violette 
    Participant

    Hi,

    Just note for the KeyStoreSecretStore, the type should be “PKCS12”. Also add -storetype PKCS12 \ to your keytool command otherwise it is a JKS keystore by default.
    For the session, is there any errors in the logs(at startup or when accessing the route)? When you go to /home/pep-cdsso, did you reach the application?

    #25017
     waynem 
    Participant

    Hiya reeprice, can you confirm if IG is also located in the us-gov-west-1.compute.internal domain?
    Thanks, Wayne

    #25025
     waynem 
    Participant

    Hi Reece, yes it does thanks.

    Another couple of quick points before looking more closely:
    1) You’re using am-auth-jwt as the cookie name. This name is the cookie name used by AM Agents for their own CDSSO process
    a) Are you using agents to front IG?
    b) This cookie could be overridden internally by the agent to may lead to unexpected behaviour

    2) You have two configurations for your AmService instance AmService-1 (one in config.json and the other in your route.json heap). Each is configured differently and – importantly – the agent username/ password are different. This means that the one closest to your route will be the instance that is used. Please can you check your AmService config is how you would expect it (based on your AM config).

    Thanks, Wayne

    • This reply was modified 3 months, 1 week ago by  waynem.
    #25048
     violette 
    Participant

    Hello,

    In fact the CDSSO does not push anything into the JWT session.
    If you want to add the auth. token into your JWT session, you will have to use an AssignmentFilter.
    Note that by default the CDSSO filter places the auth. cookie into ig-token-cookie.
    Also note that the iPlanetDirectoryPro is a reserved name for the cookie session managed by AM. Overriding it may lead to errors when interacting with AM.

    • This reply was modified 3 months, 1 week ago by  violette.
    #25053
     violette 
    Participant

    Well, if the JwtSession does not contain any data, you will not see it.
    You can add an assignment filter to your route for example:

    {
      "type": "AssignmentFilter",
      "config": {
        "onRequest": [{
          "target": "${session.authUsername}",
          "value": "I am root"
        }]
      }
    }

    and you will see that your JwtSession is present on the sample application.

    #25055
     violette 
    Participant

    And if you remove the authCookie attribute from the CDSSO ? You should see the ig-token-cookie and the JwtSession TEST.

    #25068
     Joachim Andres 
    Participant

    Hi reeprice,

    Thanks for your interest in IG. From discussing with Violette and Wayne it sounds like this conversation is turning in circles. We don’t see evidence of a product deficiency although I reckon you didn’t get to the end state your were expecting. To move forward, I’d encourage you to open a support ticket with ForgeRock.

    Best Regards,
    Joachim Andres

    #25070
     waynem 
    Participant

    Hi Reece, just to clarify, Violette is saying that there is nothing in the session so the JwtSession cookie is cleaned up. This is why you can’t see it.

    The reason you see it initially is because there is something in it. As you are using the CdSsoFilter, it uses the session in some comms with AM. Once done though, it removes what it no longer needs (and so the JwtSession, being empty, is then automatically cleaned up and you’ll no longer see it being propagated between requests).

    If you want to test that, try putting something in it in your route, as Violette suggests. An AssignmentFilter before your CdSsoFilter. You’ll then see it maintained when the request is propagated back to the original URL.

    • This reply was modified 3 months, 1 week ago by  waynem.
Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?