Hi all,
I got a similar issue when I try to verify the jwt signature with several
libreries including Node.js jsonwebtoken, since the library allows only
base64url encoded tokens because of mentioned RFC7515.
With java-jwt library the token is correctly verified.
Debugging the code i found in cas version 6.0 EncodingUtils.java:362 the
following code:
@SneakyThrows
361 public static byte[] signJws(final Key key, final byte[] value,
final String algHeaderValue) {
362 val base64 = EncodingUtils.encodeBase64(value);
363 val jws = new JsonWebSignature();
364 jws.setEncodedPayload(base64);
365 jws.setAlgorithmHeaderValue(algHeaderValue);
366 jws.setKey(key);
367 jws.setHeader("typ", "JWT");
368 return
jws.getCompactSerialization().getBytes(StandardCharsets.UTF_8);
369 }
could it be convenient to use the base64url encoder in the same class
instead? I've been trying to inject the patch into my overlay environment
without success because of my poor gradle skills.
best regards
Michele
On Monday, December 17, 2018 at 4:04:38 PM UTC+1, William E. wrote:
>
> I think the jwt as seen in the url as the value for the token parameter
> has been rul'ized by converting some characters to their html entity
> values. If you look at the same jwt as seen in the cas logs you will find
> it does not have the html characters, it's pure base64. If I use that
> value or convert the token value to non-url safe characters, it will
> validate with jose.
>
> However, although I can validate in jose in java and python, I cannot in
> another python jwt library. I've been in direct contact with that
> maintainer and they tell me the jwt built by cas may not be following
> spec. That the signature is being built with the base64, not base64-url
> encoding. Jose validates because it doesn't verify payload first. I'm not
> sure where the issue is for certain as I am no jwt expert. Perhaps one of
> the cas developers can weigh in?
>
> From the jwcrypto library maintainer:
>
> RFC7515 point 2:
>
> Base64url Encoding
> Base64 encoding using the URL- and filename-safe character set
> defined in Section 5 of RFC 4648 [RFC4648], with all trailing '='
> characters omitted (as permitted by Section 3.2) and without the
> inclusion of any line breaks, whitespace, or other additional
> characters. Note that the base64url encoding of the empty octet
> sequence is the empty string. (See Appendix C for notes on
> implementing base64url encoding without padding.)
>
>
> -W
>
>
> On Monday, December 17, 2018 at 6:10:51 AM UTC-6, Devendra Sisodia wrote:
>>
>> I am observing that extra non base64 char are appended to payload. If i
>> remove them then I am able to verify signature. Can someone suggest if this
>> is CAS issue or issue in my configurations ?
>>
>>
>> JWT:eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJpdmVyYXNlIiwiaXNGcm9tTmV3TG9naW4iOiJ0cnVlIiwiYXV0aGVudGljYXRpb25EYXRlIjoiMjAxOC0xMi0xN1QxMzowNTowOS43MzkrMDE6MDBbRXVyb3BlXC9CZXJsaW5dIiwicm9sZXMiOlsidXNlciIsImFjZV9vcGVyYXRvciIsIkFSQ0hJVkVfT1BFUkFUT1IiLCJQSEFTRTNfT1BFUkFUT1IiLCJHTkxUX1VTRVIiLCJDQVRBTE9HVUVfT1BFUkFUT1IiLCJhc21fdXNlciJdLCJzdWNjZXNzZnVsQXV0aGVudGljYXRpb25IYW5kbGVycyI6IkVTTyBBdXRoIEhhbmRsZXIiLCJpc3MiOiJodHRwczpcL1wvY2FzLmV4YW1wbGUub3JnOjg0NDNcL3NzbyIsImNyZWRlbnRpYWxUeXBlIjoiVXNlcm5hbWVQYXNzd29yZENyZWRlbnRpYWwiLCJhdWQiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODg4OFwvYXBpIiwiaXNJbXBlcnNvbmF0aW5nIjoiZmFsc2UiLCJhdXRoZW50aWNhdGlvbk1ldGhvZCI6IkVTTyBBdXRoIEhhbmRsZXIiLCJsb25nVGVybUF1dGhlbnRpY2F0aW9uUmVxdWVzdFRva2VuVXNlZCI6ImZhbHNlIiwiZXhwIjoxNTQ1MDc3MTEwLCJpYXQiOjE1NDUwNDgzMTAsImp0aSI6IlNULTEtYUZwSnRnRXFXTHc3VUREVlN3VnB4SGZucDhnR0EwMjI1ODcifQ
>> %3D%3D
>> .WB71awCAFz2tsa1ZqoZnWacKKVAarjsylBuOvnetHf9CHsIFgYtg58-2hCbeJT-gMFlCzaolriDsks1bE_RIPw
>>
>> If I remove '%3D%3D' from JWT then verification succeeds.
>>
>>
>>
>> On Sat, Dec 15, 2018 at 4:14 PM William E. <wre...@uah.edu> wrote:
>>
>>> I think you are seeing the discrepancy due to base64 vs. base64url
>>> decoding. I think the jwt spec. wants base64 url vs. plain base64.
>>>
>>> https://en.wikipedia.org/wiki/Base64#URL_applications
>>>
>>>
>>> On Friday, December 14, 2018 at 9:37:45 AM UTC-6, Devendra Sisodia wrote:
>>>>
>>>> While decoding JWT there is error "Bad Base64 input character decimal
>>>> 37 in array position 806" Which means 37(%) is not allowed in encoded base
>>>> 64 string in JWT.
>>>>
>>>> My JWT looks like below and yellow highlighted is the 806th element
>>>> that cannot be base 64 decode.
>>>>
>>>> eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJpdmVyYXNlI<string>NTg3In0%3D.
>>>> UmNz8ikEOFYqPgHRmZb1SK6A1pRFu48fSfYTasMGYHKtg7V8JepAfwunXwFeHsx5JTi4yKBug1Tq9PqfdY93lA
>>>>
>>>> On Fri, Dec 14, 2018 at 2:11 PM Giuseppe Infurna <giusepp...@gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>> i'm using io.jsonwebtoken.jjwt library
>>>>>
>>>>> Jwts.parser().setSigningKey(<yourSecretKey>).parseClaimsJws(<yourJwt>);
>>>>>
>>>>>
>>>>>
>>>>> Il giorno venerdì 14 dicembre 2018 14:02:14 UTC+1, Devendra Sisodia ha
>>>>> scritto:
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> Big Thanks for sharing configuration and as a result JWT is not
>>>>>> encrypted and only signed.
>>>>>>
>>>>>> But now I face strange issue. when I try to verify signature it
>>>>>> fails. I am using AES and single key to sign and JWT is generated. But
>>>>>> the
>>>>>> generate JWT fails signature verification.
>>>>>>
>>>>>> JWT generated as below:
>>>>>> 2018-12-14 12:33:00,684 DEBUG
>>>>>> [org.apereo.cas.token.JWTTokenTicketBuilder] - <Locating service [
>>>>>> http://localhost:8888/api] in service registry>
>>>>>> 2018-12-14 12:33:00,685 DEBUG
>>>>>> [org.apereo.cas.token.JWTTokenTicketBuilder] - <Locating service
>>>>>> specific
>>>>>> signing and encryption keys for [http://localhost:8888/api] in
>>>>>> service registry>
>>>>>> 2018-12-14 12:33:00,690 WARN
>>>>>> [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Encryption is
>>>>>> not
>>>>>> enabled for [Token/JWT Tickets]. The cipher
>>>>>> [RegisteredServiceTokenTicketCipherExecutor] will only attempt to
>>>>>> produce
>>>>>> signed objects>
>>>>>> 2018-12-14 12:33:00,690 WARN
>>>>>> [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Signing is not
>>>>>> enabled for [Token/JWT Tickets]. The cipher
>>>>>> [RegisteredServiceTokenTicketCipherExecutor] will attempt to produce
>>>>>> plain
>>>>>> objects>
>>>>>> 2018-12-14 12:33:00,690 DEBUG
>>>>>> [org.apereo.cas.token.JWTTokenTicketBuilder] - <Encoding JWT based on
>>>>>> default global keys for [http://localhost:8888/api]>
>>>>>> 2018-12-14 12:33:00,734 DEBUG
>>>>>> [org.apereo.cas.authentication.principal.DefaultResponse] - <Sanitized
>>>>>> URL
>>>>>> for redirect response is [http://localhost:8888/api]>
>>>>>> 2018-12-14 12:33:00,736 DEBUG
>>>>>> [org.apereo.cas.authentication.principal.DefaultResponse] - <Final
>>>>>> redirect
>>>>>> response is [
>>>>>> http://localhost:8888/api?redirect=true&ticket=eyJhbGciOiJSUzUxMiJ9
>>>>>>
>>>>>> Verfication code used is:
>>>>>> final Key key = new
>>>>>> AesKey(jwtSigning.getBytes(StandardCharsets.UTF_8));
>>>>>>
>>>>>> final JsonWebSignature jws = new JsonWebSignature();
>>>>>> jws.setCompactSerialization(secureJwt);
>>>>>> jws.setKey(key);
>>>>>> if (!jws.verifySignature()) {
>>>>>> throw new Exception("JWT verification failed");
>>>>>> }
>>>>>>
>>>>>> On Thu, Dec 13, 2018 at 3:40 PM Giuseppe Infurna <
>>>>>> giusepp...@gmail.com> wrote:
>>>>>>
>>>>>>>
>>>>>>> yes
>>>>>>>
>>>>>>>
>>>>>>> ###Token/JWT Tickets ENCRIPTION
>>>>>>> cas.authn.token.crypto.enabled=true
>>>>>>>
>>>>>>> cas.authn.token.crypto.signing-enabled=true
>>>>>>> cas.authn.token.crypto.signing.key=
>>>>>>> Dkkpi7iUKqidOXXmeAbr4RyHirYmgQgqqUrIo6q_JPNks2iqX2l95jVVoZQDWLNiFnhQF43agCtdMxRnIXOO9g
>>>>>>>
>>>>>>> cas.authn.token.crypto.encryption-enabled=false
>>>>>>> cas.authn.token.crypto.encryption.key=
>>>>>>>
>>>>>>> and
>>>>>>>
>>>>>>> {
>>>>>>> "@class" : "org.apereo.cas.services.RegexRegisteredService",
>>>>>>> "serviceId" : "^(http|https)://?localhost(:8081|:9060|:9000)?/.*",
>>>>>>> "name" : "myApplication",
>>>>>>> "theme" : "myApplication",
>>>>>>> "id" : 10000003,
>>>>>>> "description" : "My Application",
>>>>>>> "evaluationOrder" : 1,
>>>>>>> "usernameAttributeProvider" : {
>>>>>>> "@class" :
>>>>>>> "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
>>>>>>> },
>>>>>>> "attributeReleasePolicy" : {
>>>>>>> "@class" :
>>>>>>> "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>>>>>>> },
>>>>>>> "accessStrategy" : {
>>>>>>> "@class" :
>>>>>>> "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
>>>>>>> "enabled" : true,
>>>>>>> "ssoEnabled" : true
>>>>>>> },
>>>>>>> "proxyPolicy" : {
>>>>>>> "@class" :
>>>>>>> "org.jasig.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
>>>>>>> "pattern" : "^(http|https)?://.*"
>>>>>>> },
>>>>>>> "properties" : {
>>>>>>> "@class" : "java.util.HashMap",
>>>>>>> "jwtAsServiceTicket" : {
>>>>>>> "@class" :
>>>>>>> "org.apereo.cas.services.DefaultRegisteredServiceProperty",
>>>>>>> "values" : [ "java.util.HashSet", [ "true" ] ]
>>>>>>> }
>>>>>>> }
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Il giorno giovedì 13 dicembre 2018 14:55:49 UTC+1, Devendra Sisodia
>>>>>>> ha scritto:
>>>>>>>>
>>>>>>>> Sorry, but this does not work.
>>>>>>>> How's your service(one with definition of 'jwtAsServiceTicket',
>>>>>>>> etc) looks like ?
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Dec 13, 2018 at 2:09 PM Giuseppe Infurna <
>>>>>>>> giusepp...@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi all,
>>>>>>>>> I'm work fine with
>>>>>>>>>
>>>>>>>>> cas.authn.token.crypto.encryption-enabled=false
>>>>>>>>> cas.authn.token.crypto.encryption.key=
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Il giorno lunedì 12 novembre 2018 16:44:10 UTC+1, Xavier Rodríguez
>>>>>>>>> ha scritto:
>>>>>>>>>>
>>>>>>>>>> I'm configuring Cas Server 5.3.3. In one service I need to
>>>>>>>>>> response a JWT without encryption. Is it possible?
>>>>>>>>>>
>>>>>>>>>> I have changed in cas.properties:
>>>>>>>>>>
>>>>>>>>>> cas.authn.token.crypto.encryptionEnabled=false
>>>>>>>>>>
>>>>>>>>>> But it not has effect. In my service I don't configure the
>>>>>>>>>> property too:
>>>>>>>>>>
>>>>>>>>>> "jwtAsServiceTicketEncryptionKey"
>>>>>>>>>>
>>>>>>>>>> How can I disable this property?
>>>>>>>>>>
>>>>>>>>>> Regards!
>>>>>>>>>>
>>>>>>>>>> - Xavier -
>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> - Website: https://apereo.github.io/cas
>>>>>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>>>>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>>>>>>> - Contributions: https://goo.gl/mh7qDG
>>>>>>>>> ---
>>>>>>>>> You received this message because you are subscribed to the Google
>>>>>>>>> Groups "CAS Community" group.
>>>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>>>> send an email to cas-user+u...@apereo.org.
>>>>>>>>> To view this discussion on the web visit
>>>>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0cdbba7e-75b3-4a5f-9e4b-c68b9e8a233a%40apereo.org
>>>>>>>>>
>>>>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/0cdbba7e-75b3-4a5f-9e4b-c68b9e8a233a%40apereo.org?utm_medium=email&utm_source=footer>
>>>>>>>>> .
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> --
>>>>>>>>
>>>>>>> - Website: https://apereo.github.io/cas
>>>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>>>>> - Contributions: https://goo.gl/mh7qDG
>>>>>>> ---
>>>>>>> You received this message because you are subscribed to the Google
>>>>>>> Groups "CAS Community" group.
>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>> send an email to cas-user+u...@apereo.org.
>>>>>>> To view this discussion on the web visit
>>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc5f9360-536c-4c27-89bd-d6b69c99089f%40apereo.org
>>>>>>>
>>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc5f9360-536c-4c27-89bd-d6b69c99089f%40apereo.org?utm_medium=email&utm_source=footer>
>>>>>>> .
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>> - Website: https://apereo.github.io/cas
>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>>> - Contributions: https://goo.gl/mh7qDG
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "CAS Community" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to cas-user+u...@apereo.org.
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/202650b5-d998-4539-af60-50218543325f%40apereo.org
>>>>>
>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/202650b5-d998-4539-af60-50218543325f%40apereo.org?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>>
>>>>
>>>>
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c28790e-89e4-41c5-ba72-3f06ef76a3b1%40apereo.org
>>>
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c28790e-89e4-41c5-ba72-3f06ef76a3b1%40apereo.org?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/04fb4f18-e5fa-4a1f-9f37-1a71c7968a86%40apereo.org.
