<div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10.5pt" ><div dir="ltr" >Excuse me, my webmail decided to auto send before I was finished! I'll try it with a pristine copy.</div>
<div dir="ltr" > </div>
<blockquote data-history-content-modified="1" dir="ltr" style="border-left:solid #aaaaaa 2px; margin-left:5px; padding-left:5px; direction:ltr; margin-right:0px" >----- Original message -----<br>From: William Hadden1/UK/IBM<br>To: jricher@mit.edu<br>Cc: mitreid-connect@mit.edu<br>Subject: Re: [mitreid-connect] I seem to have a problem with an empty keystore<br>Date: Mon, Dec 12, 2016 11:18 PM<br>
<div dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10.5pt" ><div dir="ltr" >/jwk brings back the one expected default key </div>
<div dir="ltr" >{<br> "keys": [<br> {<br> "kty": "RSA",<br> "e": "AQAB",<br> "use": "sig",<br> "kid": "oAuth",<br> "alg": "RS512",<br> "n": "hDJC8fKTzR_zGa2yul-a6DqIQIVKnKT9x1gSpasUWGRp1S8pqrX6lsNQDbFXDIbC6Cz_DbaH7AAopzZG22LLIrLenhiJDaDczUdD9LOGL0HTznfaGBXf8K79y3JE0IRI_5A_qos0i7cu_ws3sw3SaNnANCXxZL1C84o52COTOjs9fdu0biOKDFgaxgY9wxCXxnG7WIiFBOGrFB8TTUU7Yb7gGZgRN80xYEArwd_Y6XTBtTj_4WsaQDKYuL388OtPnsu6U0WQ4mcLKyT_yQL9TalrD4bHS-dQxYS0lDVgHfULMOuso_ymrmx950txQkSxW1hC6uMOXs9zc9cxm8aaxQ"<br> }<br> ]<br>}</div>
<div dir="ltr" > </div>
<blockquote data-history-content-modified="1" dir="ltr" style="border-left:solid #aaaaaa 2px; margin-left:5px; padding-left:5px; direction:ltr; margin-right:0px" >----- Original message -----<br>From: Justin Richer <jricher@mit.edu><br>To: William Hadden1/UK/IBM@IBMGB<br>Cc: mitreid-connect@mit.edu<br>Subject: Re: [mitreid-connect] I seem to have a problem with an empty keystore<br>Date: Mon, Dec 12, 2016 11:13 PM<br> <br><!--Notes ACF
<meta http-equiv="Content-Type" content="text/html charset=utf8" >-->Check the server’s JWK Set endpoint (at <issuer>/jwk) and see if it’s publishing the keys you want it to publish there. If it is, then your keystore is getting loaded and something else is the problem. If not, then you can trace it down to a keystore issue.
<div> </div>
<div>Can you replicate the bug on a pristine copy of the server using the same base version?
<div> </div>
<div> — Justin</div>
<div>
<div><blockquote type="cite" ><div>On Dec 12, 2016, at 5:53 PM, William Hadden1 <<a href="mailto:WilHadden@uk.ibm.com" target="_blank" >WilHadden@uk.ibm.com</a>> wrote:</div>
<div><div dir="ltr" ><div dir="ltr" >That was a suspicion I had, but my setup looks ok to me,</div>
<div dir="ltr" > </div>
<div dir="ltr" >In my overlay under src/main/webapp/WEB-INF I have crypto-config.xml which points to </div>
<div dir="ltr" > </div>
<div dir="ltr" ><bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore"><br> <property name="location" value="file:/etc/mitreid-connect/keystore.jwks" /><br> </div>
<div dir="ltr" >In /etc/mitreid-connect/keystore.jwks I have the standard cloned keystore. So this looks OK to me.</div>
<div dir="ltr" > </div>
<div dir="ltr" >Now, I've switched on all debug in log4j but I don't see any mention of that keystore getting loaded. Is it possible my crpyto-config isn'y getting loaded? The other files in there seem to be getting loaded.</div>
<div dir="ltr" > </div>
<div dir="ltr" >Wil</div>
<div dir="ltr" > </div>
<blockquote data-history-content-modified="1" dir="ltr" style="border-left-style: solid; border-left-color: rgb(170, 170, 170); border-left-width: 2px; margin-left: 5px; padding-left: 5px; direction: ltr; margin-right: 0px;" >----- Original message -----<br>From: Justin Richer <<a href="mailto:jricher@mit.edu" target="_blank" >jricher@mit.edu</a>><br>To: William Hadden1/UK/IBM@IBMGB<br>Cc: <a href="mailto:mitreid-connect@mit.edu" target="_blank" >mitreid-connect@mit.edu</a><br>Subject: Re: [mitreid-connect] I seem to have a problem with an empty keystore<br>Date: Mon, Dec 12, 2016 10:48 PM<br> <br>Yes, the server will still issue a JWT formatted token for client credentials clients. The “claims” here are the claims inside the JWT, not the “claims” of user information or authentication event information in an OpenID Connect transaction. (Since you’re doing client credentials, you’re not using OpenID Connect functionality anyway, you’re doing plain OAuth, so none of that comes into play.) All of those claims should already be set in when the token is created.
<div> </div>
<div>If your keystore is empty, though, the server won’t be able to sign *any* tokens. Which means it won’t be able to issue any tokens. Is that the case? If so, why is your keystore empty?
<div> </div>
<div> — Justin</div>
<div> </div>
<div>
<div><blockquote type="cite" ><div>On Dec 12, 2016, at 5:40 PM, William Hadden1 <<a href="mailto:WilHadden@uk.ibm.com" target="_blank" >WilHadden@uk.ibm.com</a>> wrote:</div>
<div><div dir="ltr" style="font-family: Arial, Helvetica, sans-serif; font-size: 10.5pt;" ><div dir="ltr" >Hi,</div>
<div dir="ltr" > </div>
<div dir="ltr" >I have been writing my own overlay and at this point I can call the API and create clients. However when I try to create a client_credentials token I get a null pointer. Now bear in mind I have been changing the spring config files, so that would be a prime candidate for where I have done something wrong.</div>
<div dir="ltr" > </div>
<div dir="ltr" >The NP ultimately is:</div>
<div dir="ltr" >2016-12-12 20:58:39 DEBUG DispatcherServlet:988 - Could not complete request<br>java.lang.NullPointerException<br> at com.nimbusds.jose.JWSObject.ensureJWSSignerSupport(JWSObject.java:268)<br> at com.nimbusds.jose.JWSObject.sign(JWSObject.java:291)<br> at org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService.signJwt(DefaultJWTSigningAndValidationService.java:225)</div>
<div dir="ltr" > at org.mitre.openid.connect.token.ConnectTokenEnhancer.enhance(ConnectTokenEnhancer.java:114)</div>
<div dir="ltr" > </div>
<div dir="ltr" >This seems to come down to this line not creating a proper object</div>
<div dir="ltr" > </div>
<div dir="ltr" >SignedJWT signed = new SignedJWT(header, claims);</div>
<div dir="ltr" > </div>
<div dir="ltr" >My question is, for client_credentials, should the code be trying to create / use a JWT? If so then is it likely that my claims are wrong, as in I have setup my client to use it's own scope but do I also have to setup a claim to go along with it?</div>
<div dir="ltr" > </div>
<div dir="ltr" >Thanks for any help</div>
<div dir="ltr" >Wil</div>
<div dir="ltr" > </div>
<div dir="ltr" > </div>
<div dir="ltr" > </div></div>Unless stated otherwise above:<br>IBM United Kingdom Limited - Registered in England and Wales with number 741598.<br>Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU<br><br>_______________________________________________<br>mitreid-connect mailing list<br><a href="mailto:mitreid-connect@mit.edu" target="_blank" >mitreid-connect@mit.edu</a><br><span><a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" target="_blank" >http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a></span></div></blockquote></div></div></div></blockquote>
<div dir="ltr" > </div></div><span>Unless stated otherwise above:</span><br><span>IBM United Kingdom Limited - Registered in England and Wales with number 741598.<span> </span></span><br><span>Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU</span></div></blockquote></div></div></div></blockquote>
<div dir="ltr" > </div></div></blockquote>
<div dir="ltr" > </div></div>Unless stated otherwise above:<BR>
IBM United Kingdom Limited - Registered in England and Wales with number 741598. <BR>
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU<BR>
<BR>