3

I am trying to implement a service (API) that fulfills the OAuth role of a resource server. We have an Angular client application that implements the implicit flow. We are using GLUU as our OpenID Provider. The client application is able to successfully get an id_token (JWT) from the authorization server. However, when it calls the API (passing that token as a bearer token in the authorization header) the resource server fails attempting to validate it. I get a JwkException with the message: enc (use) is currently not supported.

I am configuring security.oauth2.resource.jwk.key-set-uri in my application.yml with the endpoint my GLUU server provides (https://[my-gluu-server-host]/oxauth/restv1/jwks)

The failure in the resource server happens in this method: org.springframework.security.oauth2.provider.token.store.jwk.JwkSetConverter.createRsaJwkDefinition(Map<String, String>)

Specifically it happens in the following block, where its parsing the document from the /oxauth/restv1/jwks endpoint:

// use
JwkDefinition.PublicKeyUse publicKeyUse = JwkDefinition.PublicKeyUse.fromValue(attributes.get(PUBLIC_KEY_USE));
if (!JwkDefinition.PublicKeyUse.SIG.equals(publicKeyUse)) {
  throw new JwkException((publicKeyUse != null ? publicKeyUse.value() : "unknown") + " (" + PUBLIC_KEY_USE + ") is currently not supported.");
}

The jwks document from the GLUU server includes, among other keys, the following:

{
  "kid": "2f2963f5-2e69-448d-8d4b-a0c573a0ae12",
  "kty": "RSA",
  "use": "sig",
  "alg": "RS256",
  "exp": 1561073429125,
  "n": "1i27yldjaqy1E43560by_mWC9weI9jilYGIHIYc_1nSM0QdVMg3OU-NVBfAcDZhw0ghJ4uZIyjnVVUBp-QqZfvQ9nMVPcYDb3Fycbag3jQ2zYJfU_lAVOoSQquq_Tk8pa4NlJWIbiEFCpkLlNZVZdP8950aZVJX5Z5AzZq6CognrnItuyjNxyA25r244dZyDiShvQ7AC3nX8u04AKTSu-bVBMuZEtJVb7wH3KDxUzgPSj-xZ2ddA9Af9I-GNKpIj5lM7KVun3GMKoVh_NsLVODAbBsJZpG_wKcN0IuHdtoJG3pCD95JmpaSUIlYbvnHH9y19tC45v5dHXUEyv1x8bw",
  "e": "AQAB",
  "x5c": [
  "MIIDBDCCAeygAwIBAgIhALFTvUWtPFdT9hBmo/5AlANq9RBZggZYbYW/2adHb50XMA0GCSqGSIb3DQEBCwUAMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMTgwNjIwMjMzMDE5WhcNMTkwNjIwMjMzMDI5WjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1i27yldjaqy1E43560by/mWC9weI9jilYGIHIYc/1nSM0QdVMg3OU+NVBfAcDZhw0ghJ4uZIyjnVVUBp+QqZfvQ9nMVPcYDb3Fycbag3jQ2zYJfU/lAVOoSQquq/Tk8pa4NlJWIbiEFCpkLlNZVZdP8950aZVJX5Z5AzZq6CognrnItuyjNxyA25r244dZyDiShvQ7AC3nX8u04AKTSu+bVBMuZEtJVb7wH3KDxUzgPSj+xZ2ddA9Af9I+GNKpIj5lM7KVun3GMKoVh/NsLVODAbBsJZpG/wKcN0IuHdtoJG3pCD95JmpaSUIlYbvnHH9y19tC45v5dHXUEyv1x8bwIDAQABoycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwDQYJKoZIhvcNAQELBQADggEBAGvDX4s66Vd6Ca7yVZrRwprICYfD2+UWHhXzWZ1cDxH0nM74tHlKn2F5j5M7lDkr9nNkMGwWRzdUpRSmqBW6b3E4Z4JeZqdlOp3GOwV+FK7R1SL0HY4XVUlBh2WJ+WjPubK9G7PUVhKqFYb7yHHPjZsvTtxxr11J0w3xnUvnBdTmPu4ByawpzhEMwWfREMhKFuTdB1eqg72he5C4cYJy48mAs/OJ25hmG58UDgTcT/qSnKsstsaTbhpnf0ky/TuoT05bjHg4yl8sOlJyPmorScj+PCHmfysrp5GKZ682jL/ffuZUSpv5pwVtzI5pG0Be0DbVmUUcMXWOie0uvGIEWI4="
  ]
}

AND

{
  "kid": "4e40e28f-3c23-4703-a4e5-256701729b9d",
  "kty": "RSA",
  "use": "enc",
  "alg": "RS256",
  "exp": 1561073429125,
  "n": "rVyl3F36BIXhSNK2ed4BtuptJNc2VC-PbTBp1_EvzKdOZH6hoYAS7aOlZyzSGBJ653jH1omFwwB2m3bABrSrkJWwW2bw4z-20ZuuZTXkhjGTVJF971jXAz7WWu5x2JGNx_Y6xPeE1ikZD81JYKwSYFGJBKxW7P_H_CsmufPbXUty6LAt49BqJTOApP-pInmoJAwEwexoKwZ5lg9pid6bOFAQb_38yX4wlFJ5sIm9xi1zhvOJfLti2-T9Kfldi3hyTTLbt8p2nWZpNydWTlu4Eo6tixl5TdWY2izTNOooll5ix-Y0weV648jAz5nZ61HC0QZzP9phce7D4rVozz-1Qw",
  "e": "AQAB",
  "x5c": [
  "MIIDBDCCAeygAwIBAgIhAI4ioYhsQvP+TfanCQ5cBFIMgWTgw1Zz6ZRdKXyaKtx8MA0GCSqGSIb3DQEBCwUAMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMTgwNjIwMjMzMDIwWhcNMTkwNjIwMjMzMDI5WjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArVyl3F36BIXhSNK2ed4BtuptJNc2VC+PbTBp1/EvzKdOZH6hoYAS7aOlZyzSGBJ653jH1omFwwB2m3bABrSrkJWwW2bw4z+20ZuuZTXkhjGTVJF971jXAz7WWu5x2JGNx/Y6xPeE1ikZD81JYKwSYFGJBKxW7P/H/CsmufPbXUty6LAt49BqJTOApP+pInmoJAwEwexoKwZ5lg9pid6bOFAQb/38yX4wlFJ5sIm9xi1zhvOJfLti2+T9Kfldi3hyTTLbt8p2nWZpNydWTlu4Eo6tixl5TdWY2izTNOooll5ix+Y0weV648jAz5nZ61HC0QZzP9phce7D4rVozz+1QwIDAQABoycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwDQYJKoZIhvcNAQELBQADggEBABhoycn6/mX07QTWcJ5G9neSjwur7iJxzcI2I3oXvewHQ+Hd5WI5YDh0zIBK5wAmaveUGWVTLHQayh1eOape0u+cHjaK1uoyB9j/PmRXgvVihpxG+oRHR6vWIb2BUzSNZ9zZLlDFhov3ZLeT4qtetj3Zp5WYd4mnTbmqZDHoXOu/ApXvIqCR0wnMZs90fK9ye/gImur2eLi145yyp2t1Q7HP6MqFhyX6lBXETyzJrgIxekJr0gOBrtAx4/DC8gODMsfDJI94QSso/l0EBp5Gmb1auwVT8g8B1yesOJmavcmnDADsqc3GjZTUt4DfDBl5sIulX4lcwEuYAyJV8BhgkNs="
  ]
}

So my question is, why does org.springframework.security.oauth2.provider.token.store.jwk.JwkSetConverter throw an exception whenever it sees a key other than one for signing? It seems to me that it shouldn't matter if there are encryption keys in the set.

Potentially I can tell GLUU to not include these keys, but I can't seem to find any documentation that would support this effort.

Any ideas how to work around this issue?

troy
  • 71
  • 9

1 Answers1

0

You can edit jwks directly in persistence. You can remove all enc keys, however it's not really good way to follow:

  • it disables ability to use encrypted tokens
  • during next jwks re-generation persistence will be automatically populated with enc keys again (you can avoid it if turn off automatic keys re-generation on server).

You may want to ask questions on https://support.gluu.org

Yuriy Zabrovarnyy
  • 11
  • 1
  • Your answer is subjective because there are no sources that would back up your words. These types of answers are considered bad for SO and tend to be downvoted or even removed. Please refer to [How do I write a good answer?](https://stackoverflow.com/help/how-to-answer) *Section: Provide context for links*. Apart from it being subjective, it's not complete, you essentially redirect an asker to some support website. – improbable Mar 18 '21 at 17:24