[cas-user] Cipher "clientSecret" params in OAuth2 JWT Token CAS Apereo version 6.1.7

Fri, 10 Jul 2020 01:46:33 -0700 

Hi all,

I follow this instruction to cipher "clientSecret" params in OAuth2 JWT 
Token with CAS Apereo 6.1
https://apereo.github.io/2019/11/04/cas62x-oauth-jwt-access-token/

*Step 1: Using CAS Shell to cipher clientSecret* 

root@ubuntu16:~/lam/cas-overlay-template# ./gradlew downloadShell runShell
root@ubuntu16:~/lam/cas-overlay-template# java -jar 
build/libs/cas-server-support-shell-6.1.7.jar
cas>encrypt-value value *exampleOauthClientSecret* alg 
PBEWithMD5AndTripleDES provider SunJCE password Vnpt@123 iterations 1000
==== Encrypted Value ====
*{cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg==*
cas>decrypt-value value 
*{cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg==* alg 
PBEWithMD5AndTripleDES provider SunJCE password Vnpt@123 iterations 1000

==== Decrypted Value ====
*exampleOauthClientSecret*

*Step 2: I make service  registration like this*

*root@ubuntu16:/etc/cas/services-repo# cat OAuthJWTService-3.json *{
    "@class" : 
"org.apereo.cas.support.oauth.services.OAuthRegisteredService",
    "clientId": "exampleOauthClient",
    #"clientSecret": "exampleOauthClientSecret",
    "clientSecret": "
*{cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg==*",
    "serviceId" : "^https://cascore.vdc2.com.vn:9999/.*";,
    "name" : "OAuthJWTService",
    "id" : 3,
    "jwtAccessToken": true,
    "attributeReleasePolicy" : {
    "@class" : 
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
    "allowedAttributes" : [ "java.util.ArrayList", 
["comdepartment","comid","lastname","usercode","userdate","useremail","userparentid","userstatus","usertel","usertype"
 
] ]
     },
    "properties" : {
      "@class" : "java.util.HashMap",
      "accessTokenAsJwtSigningKey" : {
         "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceProperty",
         "values" : [ "java.util.HashSet", [ 
"CoSfJ2WweU-cWcUYSjW2PWLVLd9hIVG0xxjFFUHSUbCjkkNiwPli_WlqF9V2MHJH3SGH_4DifSYxlgs98h4snA"
 
] ]
      },
      "accessTokenAsJwtEncryptionKey" : {
           "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceProperty",
           "values" : [ "java.util.HashSet", [ 
"_3gpqpSiIEjHT0xlscGvgDr0-iPIeeEeyecfFgbg_5E" ] ]
      },
      "accessTokenAsJwtSigningEnabled" : {
         "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceProperty",
         "values" : [ "java.util.HashSet", [ "true" ] ]
      },
      "accessTokenAsJwtEncryptionEnabled" : {
         "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceProperty",
         "values" : [ "java.util.HashSet", [ "true" ] ]
      },
      "accessTokenAsJwtCipherStrategyType" : {
         "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceProperty",
         "values" : [ "java.util.HashSet", [ "SIGN_AND_ENCRYPT" ] ]
      } 
    }
}

*Step 3: I config CAS Apereo global like this (my global config store in 
MongoDB)*
{"_id":{"$oid":"5f058f62ee9a446824d4adf3"},"name":"org.apereo.cas.standalone.configurationSecurity.alg","value":"PBEWithMD5AndTripleDES"}
{"_id":{"$oid":"5f058f79ee9a446824d4adf4"},"name":"org.apereo.cas.standalone.configurationSecurity.provider","value":"SunJCE"}
{"_id":{"$oid":"5f058f8aee9a446824d4adf5"},"name":"org.apereo.cas.standalone.configurationSecurity.iterations","value":"1000"}
{"_id":{"$oid":"5f058f9dee9a446824d4adf6"},"name":"org.apereo.cas.standalone.configurationSecurity.psw","value":"Vnpt@123"}
*Step 4: I rebuild CAS*
*Step 5: I call API to create JWT token like this*
curl 
https://cascore.vdc2.com.vn:8443/cas/oauth2.0/token?grant_type=password'&'client_id=exampleOauthClient'&'client_secret=
exampleOauthClientSecret'&'username=abc'&'password=Vnpt@123 | jq
But It shows this problem
{
  "@class": "java.util.LinkedHashMap",
  "timestamp": [
    "java.util.Date",
    1594370510760
  ],
  "status": 401,
  "error": "Unauthorized",
  "message": "No message available",
  "path": "/cas/oauth2.0/token"
}
I try agin with this
curl 
https://cascore.vdc2.com.vn:8443/cas/oauth2.0/token?grant_type=password'&'client_id=exampleOauthClient'&'client_secret=
*{cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg==*'&'username=abc'&'password=Vnpt@123
 
| jq 
But it shows this error again
{
  "@class": "java.util.LinkedHashMap",
  "timestamp": [
    "java.util.Date",
    1594370510760
  ],
  "status": 401,
  "error": "Unauthorized",
  "message": "No message available",
  "path": "/cas/oauth2.0/token"
} 
I try change param to plain text in registration file from "clientSecret": "
*{cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg==*", to 
"clientSecret": "exampleOauthClientSecret", 
It works and gives me JWT token.
Please help me.
Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fe3c0d20-87c6-4b99-a642-13719907bccan%40apereo.org.

Reply via email to