[mitreid-connect] I seem to have a problem with an empty keystore
Justin Richer
jricher at mit.edu
Mon Dec 12 18:12:59 EST 2016
Check the server’s JWK Set endpoint (at <issuer>/jwk) and see if it’s publishing the keys you want it to publish there. If it is, then your keystore is getting loaded and something else is the problem. If not, then you can trace it down to a keystore issue.
Can you replicate the bug on a pristine copy of the server using the same base version?
— Justin
> On Dec 12, 2016, at 5:53 PM, William Hadden1 <WilHadden at uk.ibm.com> wrote:
>
> That was a suspicion I had, but my setup looks ok to me,
>
> In my overlay under src/main/webapp/WEB-INF I have crypto-config.xml which points to
>
> <bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
> <property name="location" value="file:/etc/mitreid-connect/keystore.jwks" />
>
> In /etc/mitreid-connect/keystore.jwks I have the standard cloned keystore. So this looks OK to me.
>
> Now, I've switched on all debug in log4j but I don't see any mention of that keystore getting loaded. Is it possible my crpyto-config isn'y getting loaded? The other files in there seem to be getting loaded.
>
> Wil
>
> ----- Original message -----
> From: Justin Richer <jricher at mit.edu>
> To: William Hadden1/UK/IBM at IBMGB
> Cc: mitreid-connect at mit.edu
> Subject: Re: [mitreid-connect] I seem to have a problem with an empty keystore
> Date: Mon, Dec 12, 2016 10:48 PM
>
> Yes, the server will still issue a JWT formatted token for client credentials clients. The “claims” here are the claims inside the JWT, not the “claims” of user information or authentication event information in an OpenID Connect transaction. (Since you’re doing client credentials, you’re not using OpenID Connect functionality anyway, you’re doing plain OAuth, so none of that comes into play.) All of those claims should already be set in when the token is created.
>
> If your keystore is empty, though, the server won’t be able to sign *any* tokens. Which means it won’t be able to issue any tokens. Is that the case? If so, why is your keystore empty?
>
> — Justin
>
>
>> On Dec 12, 2016, at 5:40 PM, William Hadden1 <WilHadden at uk.ibm.com <mailto:WilHadden at uk.ibm.com>> wrote:
>>
>> Hi,
>>
>> I have been writing my own overlay and at this point I can call the API and create clients. However when I try to create a client_credentials token I get a null pointer. Now bear in mind I have been changing the spring config files, so that would be a prime candidate for where I have done something wrong.
>>
>> The NP ultimately is:
>> 2016-12-12 20:58:39 DEBUG DispatcherServlet:988 - Could not complete request
>> java.lang.NullPointerException
>> at com.nimbusds.jose.JWSObject.ensureJWSSignerSupport(JWSObject.java:268)
>> at com.nimbusds.jose.JWSObject.sign(JWSObject.java:291)
>> at org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService.signJwt(DefaultJWTSigningAndValidationService.java:225)
>> at org.mitre.openid.connect.token.ConnectTokenEnhancer.enhance(ConnectTokenEnhancer.java:114)
>>
>> This seems to come down to this line not creating a proper object
>>
>> SignedJWT signed = new SignedJWT(header, claims);
>>
>> My question is, for client_credentials, should the code be trying to create / use a JWT? If so then is it likely that my claims are wrong, as in I have setup my client to use it's own scope but do I also have to setup a claim to go along with it?
>>
>> Thanks for any help
>> Wil
>>
>>
>>
>> Unless stated otherwise above:
>> IBM United Kingdom Limited - Registered in England and Wales with number 741598.
>> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
>>
>> _______________________________________________
>> mitreid-connect mailing list
>> mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>
>> http://mailman.mit.edu/mailman/listinfo/mitreid-connect <http://mailman.mit.edu/mailman/listinfo/mitreid-connect>
>
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20161212/42a0e3c4/attachment.html
More information about the mitreid-connect
mailing list