An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found

Question

I am trying setup OAuth2-OpenID Connect with ForgeRock OpenAM integrated with spring security and am getting the following error

2019-06-17 15:01:42.576 DEBUG 62255 --- [nio-8090-exec-2] .o.s.r.w.BearerTokenAuthenticationFilter : 
Authentication request for failed: org.springframework.security.oauth2.core.OAuth2AuthenticationException: 
An error occurred while attempting to decode the Jwt: 
Signed JWT rejected: Another algorithm expected, or no matching key(s) found

The Jwk .well-known uri returns the following supported algorithms:

"id_token_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ]

The decoded JWT shows the following header:

{
  "typ": "JWT",
  "zip": "NONE",
  "alg": "HS256"
}

Is there a way I can set a specific JwtDecoder based on the value coming from the header or enforce AM to use one particular algorithm?

Adnan Mamajiwala · Accepted Answer · 2022-02-01T16:27:48.383

7

The issue was with the configuration in the Access Management on the token encryption. It was blank but for some reason the JWT header showed HS256, that caused spring to look for the HS256 private key and fail. After I changed the setting to use RS256, everything started working.

edited Feb 01 '22 at 16:27

answered Jun 23 '19 at 01:39

Adnan Mamajiwala

578
3
9
21

3

+1 For KeyCloak 10.0.1, had to do similar setting "Default Signature Algorithm" under Realm /Tokens to RS256 (or whatever you prefer) – meDev Jun 04 '20 at 16:25

I AM GROOT · Answer 2 · 2022-02-03T09:32:48.943

In my case, by default NimbusJwtDecoder taking RS256 as JwsAlgo. So I configured JWTDecoder and provided RS512 algorithm which I found in my JWT header.

{ "alg": "RS512", "typ": "JWT" }

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri}")
    private String jwkSetUri;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated().and().oauth2ResourceServer().jwt().decoder(jwtDecoder());
    }

    @Bean
    public JwtDecoder jwtDecoder() {
        return NimbusJwtDecoder.withJwkSetUri(jwkSetUri).jwsAlgorithm(SignatureAlgorithm.RS512).build();
    }
}

score 1 · Answer 3 · answered Jun 18 '19 at 15:28

1

Yes you can tell AM to use a specific signature algorithm for OIDC id token signature (https://backstage.forgerock.com/docs/am/6.5/oidc1-guide/#configure-oauth2-oidc-client-signing), but I suspect the client is not able to verify the signature because of the missing key.

Just to make sure ... you are aware that OAuth2 and OIDC are different topics..

answered Jun 18 '19 at 15:28

Bernhard Thalmayr

2,674
1
11
7

2

Thanks Bernhard, but key is present. OIDC is an extension to OAuth2 so i would not say that they are different topic completely. – Adnan Mamajiwala Jun 23 '19 at 01:33

An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found

3 Answers3

Linked