Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenIdCredentials can't decode JWT ID token #4128

Closed
travisspencer opened this issue Sep 28, 2019 · 1 comment
Closed

OpenIdCredentials can't decode JWT ID token #4128

travisspencer opened this issue Sep 28, 2019 · 1 comment
Assignees
Labels
Bug For general bugs on Jetty side

Comments

@travisspencer
Copy link
Contributor

Testing the new OpenID Connect authentication mechanism, I've run into what I think is a bug. My OpenID Connect Provider (OP) is Curity, an OP that's passed all the OpenID Foundation's certification tests.

I can login using this OP. However, in some cases, the OpenIdCredentials gets hung up on the ID token JWT that's returned.

For instance, here's an example of a token (that is valid) which hangs up the component:

eyJraWQiOiIxNTU1OTM0ODQ3IiwieDV0IjoiOWdCOW9zRldSRHRSMkhtNGNmVnJnWTBGcmZRIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiQTA0NUoxcE5YRk1nYzlXN2wxSk1fUSIsImRlbGVnYXRpb25faWQiOiJjZTBhNjRlNS0xYWY3LTQ2MzEtOGUzNC1mNDE5N2JkYzVjZTAiLCJhY3IiOiJ1cm46c2U6Y3VyaXR5OmF1dGhlbnRpY2F0aW9uOmh0bWwtZm9ybTpodG1sLXByaW1hcnkiLCJzX2hhc2giOiIwc1FtRG9YY3FwcnM4NWUzdy0wbHdBIiwiYXpwIjoiNzZiZTc5Y2ItM2E1Ni00ZTE3LTg3NzYtNDI1Nzc5MjRjYzc2IiwiYXV0aF90aW1lIjoxNTY5NjU4MDk1LCJleHAiOjE1Njk2NjE5OTUsIm5iZiI6MTU2OTY1ODM5NSwianRpIjoiZjJkNWI2YzEtNTIxYi00Y2Y5LThlNWEtOTg5NGJhNmE0MzkyIiwiaXNzIjoiaHR0cHM6Ly9ub3JkaWNhcGlzLmN1cml0eS5pby9-IiwiYXVkIjoiNzZiZTc5Y2ItM2E1Ni00ZTE3LTg3NzYtNDI1Nzc5MjRjYzc2Iiwic3ViIjoibmlrb3MiLCJpYXQiOjE1Njk2NTgzOTUsInB1cnBvc2UiOiJpZCJ9.Wd458zNmXggpkDN6vbS3-aiajh4-VbkmcStLYUqahYJUp9p-AUI_RZttWvwh3UDMG9rWww_ya8KFK_SkPfKooEaSNOjOhw0ox4d-9lgti3J49eRyO20RViXvRHyLVtcjv5IaqvMXgwW60Thubv19OION7DstyArffcxNNSpiqDq6wjd0T2DJ3gSXXlJHLTWrry3svqu1j_GCbHc04XYGicxsusKgc3n22dh4I6p4trdo0Gu5Un0bZ8Yov7IzWItqTgm9X5r9gZlAOLcAuK1WTwkzAwZJ24HgvxKmuYfV_4ZCg_VPN2Op8YPuRAQOgUERpeTv1RDFTOG9GKZIMBVR0A

The error is around base-64 decoding, which OpenID Connect does in a "special" way (see RFC 7515). Specifically, the stack trace is this:

2019-09-28T10:13:15:724+0200 WARN  {qtp294247762-17} org.eclipse.jetty.security.openid.OpenIdLoginService:93
 java.lang.IllegalArgumentException: Illegal base64 character 2d
	at java.util.Base64$Decoder.decode0(Base64.java:714) ~[?:1.8.0_181]
	at java.util.Base64$Decoder.decode(Base64.java:526) ~[?:1.8.0_181]
	at java.util.Base64$Decoder.decode(Base64.java:549) ~[?:1.8.0_181]
	at org.eclipse.jetty.security.openid.OpenIdCredentials.decodeJWT(OpenIdCredentials.java:163) ~[jetty-openid-9.4.21.v20190926.jar:9.4.21.v20190926]
...

In section 2 of RFC 7515 (which OpenID Connect references), it says that base64-encoded parts of the JWT should have the padding removed. This means that the decoder (this new OpenIdCredentials class) must first add the padding back before calling java.util.Base64.Decoder.

travisspencer added a commit to travisspencer/jetty.project that referenced this issue Sep 28, 2019
travisspencer added a commit to travisspencer/jetty.project that referenced this issue Sep 28, 2019
travisspencer added a commit to travisspencer/jetty.project that referenced this issue Sep 28, 2019
Signed-off-by: Travis Spencer <travis@curity.io>
@gregw
Copy link
Contributor

gregw commented Sep 29, 2019

Standards are soooo good, we may as well have lots of them for hte same thing.... NOT!
https://tools.ietf.org/html/rfc7515#appendix-C

@gregw gregw added the Bug For general bugs on Jetty side label Sep 29, 2019
travisspencer added a commit to travisspencer/jetty.project that referenced this issue Sep 30, 2019
Signed-off-by: Travis Spencer <travis@curity.io>
travisspencer added a commit to travisspencer/jetty.project that referenced this issue Oct 5, 2019
Signed-off-by: Travis Spencer <travis@curity.io>
lachlan-roberts added a commit that referenced this issue Oct 7, 2019
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
lachlan-roberts added a commit that referenced this issue Oct 7, 2019
Issue #4128 - Add missing padding and use URL decoder
lachlan-roberts added a commit that referenced this issue Nov 18, 2019
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
lachlan-roberts added a commit that referenced this issue Nov 20, 2019
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@joakime joakime changed the title OpenIdCredetials can't decode JWT ID token OpenIdCredentials can't decode JWT ID token Nov 20, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For general bugs on Jetty side
Projects
None yet
Development

No branches or pull requests

3 participants