Iss claim not valid Keycloak - spring

I use the keycloak service to login my web app. Use as a backend spring with oauth 2.0 security. When I go to make a request with postman using the bearer token obtained from keycloak it gives me an error 401 and also in the text of the answer next to the www-Authenticate entry it tells me:
Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: The iss claim is not valid", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1".
How could I solve this problem?

Spring config value must be exactly the same as iss claim value. Even trailing slash, if any, is important.
Do as #BenchVue wrote in comment: open one of access-token JWTs in jwt.io, copy iss claim value and paste it in spring conf.

the OAuth properties in application.properties must be the same as the Keycloak address:
spring.security.oauth2.resourceserver.jwt.issuer-uri=http://keycloak-IP:Port/auth/realms/XXX

Related

Invalid signature Azure access token jwt.io

I generated access tokens using Azure AD+ Spring Boot using Outh2 Authorization code grant flow.
But when I try to validate the token generated (using Spring Boot resource server apis) I get an "Invalid Signature" Error.
Question is I get "Invalid Signature" error when I copy/paste the token in jwt.io as well.
Jwt.io image
Does that mean that my access token does not actually have a valid signature ??
When I switched the Algorithm from RS256 to HS256 in jwt.io it says that the signature was verified. Which I found strange.
Is there any way I can know what algorithm is used by Azure AD to generate Access tokens after successful user login??
I tried to reproduce the same in my environment and got the below results:
I generated Authorization code by using the below endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
client_id=ClientID
&response_type=code
&redirect_uri=RedirectURI
&response_mode=query
&scope=openid profile
&state=12345
I generated the access token using Authorization code grant flow using Postman by using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:openid profile
grant_type:authorization_code
redirect_uri:RedirectURI
code:code
When I decoded the above access token, I got the same error like below:
Note that: Graph API token doesn't require validation (aud is Graph). Graph access token will not pass Signature verification in the code because access token is not for the application.
To resolve the issue, you can try replacing the scope as api://ClientIDofApp/.default while generating the token like below:
The access token decoded successfully without any error like below:
Reference:
openid - Signed JWT rejected: Invalid signature azure-spring-boot (github.com)

CAS 6.0 and Spring Security: JWT configuration fails on Service Ticket validation

I'm setting up a configuration using CAS 6.0 and Spring Boot with Spring Security so as to shift to JWT. Looking at this guide, I've configured module dependency, CAS Service Registry, and signing and encryption Keys. The flow goes fine:
calling the app at https://localhost:9000/secure/home/test I'm redirected to CAS login,
at https://localhost:8443/cas/login?service=https%3A%2F%2Flocalhost%3A9000%2Flogin%2Fcas I can correctly specify credentials and see TGC in JWT form inside the cookies,
after inserting credentials I'm redirected to https://localhost:9000/login/cas.
Last call has the two query string parameters redirect=true and ticket=[JWT string].
I've set up a filter decoding the token and it works, but then the filter chain hits CasAuthenticationFilter, which sees the ticket parameter and tries to validate it as Service Ticket, failing.
How can it be made aware of jwt, and forward the request to the original URL?
the same question in CAS 5.3.x.
finally I did the following flow:
CAS Server:
set up the cas.properties in cas server, add 'cas.ticket.st.numberOfUses=2' to let service ticket can be used twice. (default value is 1)
Application Server:
set up a filter to decode JWT token, extract service ticket from the key "jti" in JWT token.
set the response status to 302 and redirect to the request url and make the service ticket as query string named "ticket". (note that in this step should not go on the next filter)
the redirect request from #2 should not process in #1's filter then go on the filter chain.
The above flow works. But need more testing to confirm the working fine for web applications and result api service.

How to setting JWT Authentication in KONGA

I want to add a JWT Authentication to my services.
I have done the following steps, but JWT Authentication is not working
Create a Consumer
Insert a JWT secret into Consumer
Add a JWT plugin with the Consumer id in Service and Route
However, the message that I get from Postman is Unauthorized.
I have no issue if I am using Key-Auth and Basic Auth. Too many website that I have seek and find, but not solve my problem.
I using jwt.io website to generate Token, but I am not sure the information to be fill in the Payload section.
JWT in Service/Route
JWT in Consumer
JWT in Website jwt.io (This is the confusing part, stuck here at Payload)
Postman
Appreciate if anyone can help me out.
KONGA version: 0.14.3
Kong version: 1.3.0
Same issue with you, every steps that you did were absolute correct. I also cannot find out the solution somewhere else. But luckily I got the solution after reviewing again all params to enable JWT plugin & create JWT for consumers.
I found this param config.header_names must be inputted as Authorization (remember type Enter after inputting :D).
Although the Kong document (https://docs.konghq.com/hub/kong-inc/jwt/) said that this value is optional and default value is "Authorization" but actually if you left it blank I realized that Kong cannot extract JWT from header.
The key claim name (in your case "iss") must exist in your jwt token and the consumer in kong must be configured to expect that (in "key" field for the respective consumer)
For the token to be valid, the value of "iss" in your token must be equal to the value of "key" that you entered while creating the consumer

what exactly is sent from the resource server to the authentication server In spring security oauth2 during token validation

I understand that a resource server will make a call to the authentication server with a token to confirm that it is valid.
However is this token the same Cookie: JSESSIONID?
Oauth 2.0 Bearer tokens are of two types - General tokens(e.g like java uuid string) and JWT tokens.
General tokens will be stored in the authorization server token store along with their scopes, expiry, client ID, UserId and other related information. When client sends request to resource server, Resource server need to reach out authorization server(Spring oauth 2.0) for bearer token validation.
JWT tokens contains information about its expiry along other user information and self sufficient to work in stateless sessions, Here we don't need to validate oauth 2.0 JWT tokens from authorization server.
JSESSIONID Cookie is created by spring security by default, its not related to Bearer token authorization.
Well the standard solution is an introspection request, as in step 14 of this post: https://authguidance.com/2017/09/26/basicspa-oauthworkflow/
Not all solutions are standards based though - and I always recommend capturing the HTTP traffic

Changing SSL Certificate and associated domain gives a 401 when it didn't before

I have an application with multiple services. One of them is the auth service that takes care of creating the jwt after checking that the client id (i.e. browser or app) is valid and provided username/password is also valid.
I have another service (gateway) that redirect to other services any requests from the users using the jwt token for authentication.
All this works and has been working for a few years. It is based on Spring Boot using Spring Security (starter v2.1.5). It is soon time to renew our certificate and at the same time move to our new domain. The new certificate has been applied to the Google Cloud Platform load balancer.
The call for health check using the Spring Actuator is responding with the proper "UP" (in json) response. When I try to make the call from same Postman request (with new domain name used) I get the following response with a 401 code:
{
"error": "unauthorized",
"error_description": "Full authentication is required to access this resource"
}
I do have the proper clientid and password/secrete encoded using base64 (hey it worked before and nothing else was changed).
I tried to debug setting #EnableWebSecurity(debug = true), but it generates zero logs from the request.
If I switch back the certificate to old one (and old domain), it works again without any other changes. This has been driving me a bit on the crazy side to say the least. Any help, suggestion, ideas would be appreciated.
It ended up being an error on my part. When I added a A class resources during the copy paste of Load Balancer IP, I put the same IP for both of my services (i.e. one of the copy didn't stick). Ending up in calling security on the gateway service when asking for the auth token.
Thanks for the comment #Boris-Treukhov

Resources