[mitreid-connect] I seem to have a problem with an emptykeystore
Justin Richer
jricher at mit.edu
Tue Dec 13 20:35:36 EST 2016
Yes, you can register clients for scopes that aren’t listed in the system scopes setup. They won’t get display names and icons but they’ll be there. You can restrict some scopes so that clients can’t register for them dynamically.
— Justin
> On Dec 13, 2016, at 8:35 AM, William Hadden1 <WilHadden at uk.ibm.com> wrote:
>
> Got to the bottom of it.
>
> It seems that I had set defaultSignerKeyId in crypto-config.xml to rsa1 while the only test key in my keystore.jwks had an ID of oAuth.
>
> I could see in code that the oAuth key got read in and set as the default then later spring set the default to rsa1. I know this is my own fault but it might be worth raising an exception if someone tries to set the default key to one that's not in the store already.
>
> Thanks for your help. It's been very useful!
>
> On a separate issue, I don't know if this is a problem but I thought I should mention it.
> From the API it seems that I can set a scope of a client for a scope that does not exist. Should that be possible?
>
> Wil
>
> ----- Original message -----
> From: William Hadden1/UK/IBM
> To: William Hadden1/UK/IBM at IBMGB
> Cc: jricher at mit.edu, mitreid-connect at mit.edu
> Subject: Re: [mitreid-connect] I seem to have a problem with an empty keystore
> Date: Mon, Dec 12, 2016 11:52 PM
>
> OK, on a completely clean setup the same call to token succeeds. Looks like it's something I've done.
>
> Wil
>
> ----- Original message -----
> From: William Hadden1/UK/IBM at IBMGB
> Sent by: mitreid-connect-bounces at mit.edu
> To: jricher at mit.edu
> Cc: mitreid-connect at mit.edu
> Subject: Re: [mitreid-connect] I seem to have a problem with an empty keystore
> Date: Mon, Dec 12, 2016 11:20 PM
>
> Excuse me, my webmail decided to auto send before I was finished! I'll try it with a pristine copy.
>
> ----- Original message -----
> From: William Hadden1/UK/IBM
> To: jricher at mit.edu
> Cc: mitreid-connect at mit.edu
> Subject: Re: [mitreid-connect] I seem to have a problem with an empty keystore
> Date: Mon, Dec 12, 2016 11:18 PM
>
> /jwk brings back the one expected default key
> {
> "keys": [
> {
> "kty": "RSA",
> "e": "AQAB",
> "use": "sig",
> "kid": "oAuth",
> "alg": "RS512",
> "n": "hDJC8fKTzR_zGa2yul-a6DqIQIVKnKT9x1gSpasUWGRp1S8pqrX6lsNQDbFXDIbC6Cz_DbaH7AAopzZG22LLIrLenhiJDaDczUdD9LOGL0HTznfaGBXf8K79y3JE0IRI_5A_qos0i7cu_ws3sw3SaNnANCXxZL1C84o52COTOjs9fdu0biOKDFgaxgY9wxCXxnG7WIiFBOGrFB8TTUU7Yb7gGZgRN80xYEArwd_Y6XTBtTj_4WsaQDKYuL388OtPnsu6U0WQ4mcLKyT_yQL9TalrD4bHS-dQxYS0lDVgHfULMOuso_ymrmx950txQkSxW1hC6uMOXs9zc9cxm8aaxQ"
> }
> ]
> }
>
> ----- Original message -----
> From: Justin Richer <jricher at mit.edu>
> To: William Hadden1/UK/IBM at IBMGB
> Cc: mitreid-connect at mit.edu
> Subject: Re: [mitreid-connect] I seem to have a problem with an empty keystore
> Date: Mon, Dec 12, 2016 11:13 PM
>
> Check the server’s JWK Set endpoint (at <issuer>/jwk) and see if it’s publishing the keys you want it to publish there. If it is, then your keystore is getting loaded and something else is the problem. If not, then you can trace it down to a keystore issue.
>
> Can you replicate the bug on a pristine copy of the server using the same base version?
>
> — Justin
>
>> On Dec 12, 2016, at 5:53 PM, William Hadden1 <WilHadden at uk.ibm.com <mailto:WilHadden at uk.ibm.com>> wrote:
>>
>> That was a suspicion I had, but my setup looks ok to me,
>>
>> In my overlay under src/main/webapp/WEB-INF I have crypto-config.xml which points to
>>
>> <bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
>> <property name="location" value="file:/etc/mitreid-connect/keystore.jwks" />
>>
>> In /etc/mitreid-connect/keystore.jwks I have the standard cloned keystore. So this looks OK to me.
>>
>> Now, I've switched on all debug in log4j but I don't see any mention of that keystore getting loaded. Is it possible my crpyto-config isn'y getting loaded? The other files in there seem to be getting loaded.
>>
>> Wil
>>
>> ----- Original message -----
>> From: Justin Richer <jricher at mit.edu <mailto:jricher at mit.edu>>
>> To: William Hadden1/UK/IBM at IBMGB
>> Cc: mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>
>> Subject: Re: [mitreid-connect] I seem to have a problem with an empty keystore
>> Date: Mon, Dec 12, 2016 10:48 PM
>>
>> Yes, the server will still issue a JWT formatted token for client credentials clients. The “claims” here are the claims inside the JWT, not the “claims” of user information or authentication event information in an OpenID Connect transaction. (Since you’re doing client credentials, you’re not using OpenID Connect functionality anyway, you’re doing plain OAuth, so none of that comes into play.) All of those claims should already be set in when the token is created.
>>
>> If your keystore is empty, though, the server won’t be able to sign *any* tokens. Which means it won’t be able to issue any tokens. Is that the case? If so, why is your keystore empty?
>>
>> — Justin
>>
>>
>>> On Dec 12, 2016, at 5:40 PM, William Hadden1 <WilHadden at uk.ibm.com <mailto:WilHadden at uk.ibm.com>> wrote:
>>>
>>> Hi,
>>>
>>> I have been writing my own overlay and at this point I can call the API and create clients. However when I try to create a client_credentials token I get a null pointer. Now bear in mind I have been changing the spring config files, so that would be a prime candidate for where I have done something wrong.
>>>
>>> The NP ultimately is:
>>> 2016-12-12 20:58:39 DEBUG DispatcherServlet:988 - Could not complete request
>>> java.lang.NullPointerException
>>> at com.nimbusds.jose.JWSObject.ensureJWSSignerSupport(JWSObject.java:268)
>>> at com.nimbusds.jose.JWSObject.sign(JWSObject.java:291)
>>> at org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService.signJwt(DefaultJWTSigningAndValidationService.java:225)
>>> at org.mitre.openid.connect.token.ConnectTokenEnhancer.enhance(ConnectTokenEnhancer.java:114)
>>>
>>> This seems to come down to this line not creating a proper object
>>>
>>> SignedJWT signed = new SignedJWT(header, claims);
>>>
>>> My question is, for client_credentials, should the code be trying to create / use a JWT? If so then is it likely that my claims are wrong, as in I have setup my client to use it's own scope but do I also have to setup a claim to go along with it?
>>>
>>> Thanks for any help
>>> Wil
>>>
>>>
>>>
>>> Unless stated otherwise above:
>>> IBM United Kingdom Limited - Registered in England and Wales with number 741598.
>>> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
>>>
>>> _______________________________________________
>>> mitreid-connect mailing list
>>> mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>
>>> http://mailman.mit.edu/mailman/listinfo/mitreid-connect <http://mailman.mit.edu/mailman/listinfo/mitreid-connect>
>>
>> Unless stated otherwise above:
>> IBM United Kingdom Limited - Registered in England and Wales with number 741598.
>> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
>
>
>
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
>
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect <http://mailman.mit.edu/mailman/listinfo/mitreid-connect>
>
>
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20161213/cb750e63/attachment.html
More information about the mitreid-connect
mailing list