This topic has 1 reply, 2 voices, and was last updated 4 days, 18 hours ago by Neil Madden.

  • Author
    Posts
  • #28373
     praveenpasi
    Participant

    Hi,
    We are using ForgeRock 6.5.3 version & are testing the JWT bearer authentication in ForgeRock.
    We are referring the doc link https://backstage.forgerock.com/docs/am/6.5/oauth2-guide/#oauth2-jwt-bearer for configuration in ForgeRock.

    Currently we tried the following steps and are getting error ‘JWT Signature is invalid’
    1.Generated example.jks file using keystore command
    2.Generated example.cert file using the above example.jks file(RSA algorithm)
    3.Generated JWT token using Nimbus JOSE library(using JAVA program)
    4.Using online tool https://8gwifi.org/jwkconvertfunctions.jsp retrieved JWK set from example.cert
    5.Configured the above retrieved JWK set in under Realms > Realm Name > Applications > Agents > Trusted JWT Issuer.
    6.Configured the certificate in Client JWT Bearer Public Key field of the client profile by navigating to Realms > Realm Name > Applications > OAuth 2.0 > Client Name > Signing and Encryption.
    Also selected ‘X509’ as value for ‘Public key selector’ field
    7.Invoke the below curl command to retrieve access token from ForgeRock which is giving ‘JWT Signature is invalid’ error
    curl –request POST –data “client_id=my-client-id” –data “client_secret=password” –data “grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer” –data “assertion=eyJ4NXQjUzI1” –data “redirect_uri=http://www.example.com” http://hostname:port/openam/oauth2/access_token

    Stacktrace from OAuth2Provider
    ================================

    OAuth2Provider:11/19/2020 09:40:39:291 PM PST: Thread[http-nio-8060-exec-1,5,main]: TransactionId[849c5a31-5de9-4b7f-be1b-1059e0162716-733]
    Adding manually configured JwkSet: {“kty”:”RSA”,”e”:”AQAB”,”kid”:”1a075a8f-6356-4221-9ebf-431c32bddde2″,”n”:”tnOojpQ84YybhlxVXtV5aC8JXWVdTsSQUEOWiiPgPtE8yaQFtjRl0ej6renTvD2L7AdVMOR6zhHAf0HlxA2mO0qlVhhdBjyUIggOZjlz956t_siavTmV1N0v1441xy_z5t_Wstnu5fxoO1bJxnp-LATlW2Ow6TErxS3xgns7B2QyROiMfGGKDFkzB3D2TYxoroRQ1raKYlOmOORcOHEFDZ8M10SArQR0vNqD7vlR2kTfOXpMXZ6tSgJIjoYrTq46nF1tqR4QSbgF_khEMZP9GjrGEvrL-CBVlJBdXru6Yl0h5FZVdR0QoeyfW_tY6-QYQCmIMnZuzisJd0k76tD_GQ”}
    OAuth2Provider:11/19/2020 09:40:39:295 PM PST: Thread[http-nio-8060-exec-1,5,main]: TransactionId[849c5a31-5de9-4b7f-be1b-1059e0162716-733]
    WARNING: Unhandled exception: org.restlet.resource.ResourceException: Internal Server Error (500) – The server encountered an unexpected condition which prevented it from fulfilling the request
    org.restlet.resource.ResourceException: Internal Server Error (500) – The server encountered an unexpected condition which prevented it from fulfilling the request
    at org.restlet.resource.ServerResource.doHandle(ServerResource.java:527)
    at org.restlet.resource.ServerResource.post(ServerResource.java:1341)
    ….

    Caused by: org.forgerock.oauth2.restlet.OAuth2RestletException: JWT signature is invalid
    at org.forgerock.oauth2.restlet.TokenEndpointResource.token(TokenEndpointResource.java:104)
    at sun.reflect.GeneratedMethodAccessor86.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.restlet.resource.ServerResource.doHandle(ServerResource.java:508)
    … 95 more
    Caused by: org.forgerock.oauth2.core.exceptions.InvalidGrantException: JWT signature is invalid
    at org.forgerock.oauth2.core.JwtBearerGrantTypeHandler.handle(JwtBearerGrantTypeHandler.java:95)
    at org.forgerock.oauth2.core.GrantTypeHandler.handle(GrantTypeHandler.java:76)
    at org.forgerock.oauth2.core.AccessTokenService.requestAccessToken(AccessTokenService.java:138)
    at org.forgerock.oauth2.restlet.TokenEndpointResource.token(TokenEndpointResource.java:78)
    … 99 more

    Stacktrace from org.forgerock.openam.jwt.JwtSignatureVerificationHandler
    ========================================================================

    org.forgerock.openam.jwt.JwtSignatureVerificationHandler:11/20/2020 12:32:57:455 AM PST: Thread[http-nio-8060-exec-2,5,main]: TransactionId[849c5a31-5de9-4b7f-be1b-1059e0162716-966]
    Supplied key id dx4c did not match any valid keys

    Can you please let us know if we are missing any steps.

    Thanks,
    Praveen

    #28374
     Neil Madden
    Participant

    Supplied key id dx4c did not match any valid keys

    This means that your JWT contains a “kid”:”dx4c” header but the JWK Set doesn’t have a key with a matching “kid” field. So either remove the kid header from the JWT or add it to the appropriate key in the JWK Set.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?