Requesting-an-access-token-with-a-jwt

Hi people,

According Oauth2 FLOW https://doc.nuxeo.com/nxdoc/using-oauth2/#requesting-an-access-token-with-a-jwt, I tried to get access token by testing Access Token with a JWT with my Postman but I have some exceptions server side. Here How I declared Oauth2 client serveur side : Capture d’écran 2019-04-05 à 12.25.59.png

Here is My Postman Capture d’écran 2019-04-05 à 12.19.56.png

Here is the server logs

2019-04-05T12:14:44,334 ERROR [https-jsse-nio-0.0.0.0-8443-exec-3] [nuxeo-error-log] javax.servlet.ServletException: java.lang.NullPointerException
    at org.nuxeo.ecm.platform.web.common.requestcontroller.filter.NuxeoRequestControllerFilter.doFilter(NuxeoRequestControllerFilter.java:145)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:209)
    at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:244)
    Caused by: java.lang.NullPointerException
    at org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet.doPostToken(NuxeoOAuth2Servlet.java:358)
    at org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet.doPost(NuxeoOAuth2Servlet.java:121)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)

Thanks for help

0 votes

6 answers

160 views

ANSWER



Kevin Leturc ,

In https://github.com/nuxeo/nuxeo/blob/10.10/nuxeo-features/nuxeo-platform-oauth/src/main/java/org/nuxeo/ecm/platform/oauth2/Constants.java I see :

/** @since 11.1 */
public static final String ASSERTION_PARAM = "assertion";

/** @since 11.1 */
public static final String JWT_BEARER_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";

It's a confirmation that the jwt grant_type does not exist in 10.10 or HF02 ?

0 votes



Please use comment feature instead of answer one, it's easier to follow. No this is not a confirmation, feature is present in 10.10-HF02
04/05/2019

As you can see on my answer to Thomas Roger , I am running nuxeo 10.10-HF03
04/05/2019

Please read my previous comment below:

So your token seems to be invalid. Can you enable TRACE log on JWTServiceImpl in order to have the reason of verification failure?

Log4j2 config:

...
<Logger name="org.nuxeo.ecm.jwt.JWTServiceImpl" level="trace" />
...
04/05/2019

Here is TRACE of JWTServiceImpl :

2019-04-05T15:03:57,720 TRACE [https-jsse-nio-0.0.0.0-8443-exec-2] [org.nuxeo.ecm.jwt.JWTServiceImpl] token verification failed: com.auth0.jwt.exceptions.AlgorithmMismatchException: The provided Algorithm doesn't match the one defined in the JWT's Header.
04/05/2019

Do you generate the token with Nuxeo? Cause Nuxeo uses only HMAC512 algorithm to generate jwt tokens and regarding the error you get it's not the algorithm used in your jwt token.

Note: the JWT issuer might be nuxeo

https://jwt.io/ might help

04/05/2019

My jwt use HS256 Algorithm and shared secret base64 encoded, see in https://jwt.io/, I generate the JWT in my main API REST and want to use the same with nuxeo.
04/05/2019

There's no customisation on this part inside Nuxeo. We use HmacSHA512 algorithm (HS512) to generate and verify tokens, you need to generate a JWT token with this algorithm and the nuxeo issuer in the claim (iss).
04/05/2019

It would be interesting to add a new parameter in nuxeo.conf like nuxeo.jwt.alg = HS256 | HS384 | HS512
04/05/2019

We see no reason to allow weaker algorithms.
04/05/2019

I think it's the responsibility to users to use weaker or strong algorithms. I this case, We must update all our APIS to fit in nuxeo strategy. Users can have choice to update later their app
04/05/2019

Hi Kevin Leturc , Florent Guillaume ,

I use in my main API HS512 as JWT algorithm provider, but when I use it postman to test oauth2 jwt authentication, I have this exception nuxeo side : `2019-04-15T13:50:01,575 TRACE [https-jsse-nio-0.0.0.0-8443-exec-9] [org.nuxeo.ecm.jwt.JWTServiceImpl] token verification failed: com.auth0.jwt.exceptions.SignatureVerificationException: The Token's Signature resulted invalid when verified using the Algorithm: HmacSHA512 … Caused by: java.lang.NullPointerException

at org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet.doPostToken(NuxeoOAuth2Servlet.java:358)
at org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet.doPost(NuxeoOAuth2Servlet.java:121)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)`.

Nuxeo not read my nuxeo.jwt.secret parameter ? For information, I use library io.jsonwebtoken:jjwt to create my JWT

Thanks for help

04/15/2019

Hi,

I changed my JWT lib for com.auth0.jwt use by nuxeo and I get this error : 2019-04-15T15:58:29,821 TRACE [https-jsse-nio-0.0.0.0-8443-exec-1] [org.nuxeo.ecm.jwt.JWTServiceImpl] token verification failed: com.auth0.jwt.exceptions.InvalidClaimException: The Claim 'iss' value doesn't match the required one..

Why Issuer is required nuxeo side ?

Thanks

04/15/2019

Yes we could remove the check, it doesn't bring much. I created NXP-27236 for that, but it's not yet scheduled. In the meantime, please use the required nuxeo one.
04/15/2019


Hi Kevin Leturc , I have this parameter in my nuxeo.conf nuxeo.jwt.secret=OTQ5YTI3MmI0ZDBmNGV....., So I don't understand why nuxeo not read it ?

Thanks

0 votes



Ok, So your token seems to be invalid. Can you enable TRACE log on JWTServiceImpl in order to have the reason of verification failure?

Log4j2 config:

...
<Logger name="org.nuxeo.ecm.jwt.JWTServiceImpl" level="trace" />
...
04/05/2019


Hi Thomas Roger,

I am running HF03.

Capture d’écran 2019-04-05 à 14.27.25.png

Thanks

0 votes



Hello,

I saw on your screenhost that the exception came from [here](https://github.com/nuxeo/nuxeo/blob/10.10/nuxeo-features/nuxeo-platform-oauth/src/main/java/org/nuxeo/ecm/platform/oauth2/NuxeoOAuth2Servlet.java#L358 which means that either you don't have set the jwt secret (nuxeo.jwt.secret in nuxeo.conf) or your token is not valid.

I created NXP-27175 to improve error handling.

0 votes



The JWT OAuth2 flow is only supported since 10.10-HF02, not before.

0 votes



Hi,

When in my postman I delete parameter grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer', I get server side this exception : 2019-04-05T14:11:35,871 WARN [https-jsse-nio-0.0.0.0-8443-exec-7] [org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet] OAuth2 token request error: OAuth2Error(id=unsupported_grant_type, description=Unknown grant_type: got "null", expecting "authorization_code" or "refresh_token".)

It seems that this type of grant_type urn:ietf:params:oauth:grant-type:jwt-bearer describe in this https://doc.nuxeo.com/nxdoc/using-oauth2/#requesting-an-access-token-with-a-jwt is not supported in nuxeo 10.10 or not implement yet ? I see in code package org.nuxeo.ecm.platform.oauth2 theses constants

public static final String TOKEN_SERVICE = "org.nuxeo.server.token.store";
036
037    public static final String RESPONSE_TYPE_PARAM = "response_type";
038
039    public static final String CODE_RESPONSE_TYPE = "code";
040
041    public static final String SCOPE_PARAM = "scope";
042
043    public static final String STATE_PARAM = "state";
044
045    public static final String CLIENT_ID_PARAM = "client_id";
046
047    public static final String CLIENT_SECRET_PARAM = "client_secret";
048
049    public static final String REDIRECT_URI_PARAM = "redirect_uri";
050
051    public static final String REDIRECT_URL_PARAM = "redirect_url";
052
053    public static final String AUTHORIZATION_CODE_PARAM = "code";
054
055    public static final String REFRESH_TOKEN_PARAM = "refresh_token";
056
057    public static final String GRANT_TYPE_PARAM = "grant_type";
058
059    public static final String AUTHORIZATION_CODE_GRANT_TYPE = "authorization_code";
060
061    public static final String REFRESH_TOKEN_GRANT_TYPE = "refresh_token";
062
063    /** --------------------------- PKCE --------------------------- */
064    public static final String CODE_CHALLENGE_PARAM = "code_challenge";
065
066    public static final String CODE_CHALLENGE_METHOD_PARAM = "code_challenge_method";
067
068    public static final String CODE_VERIFIER_PARAM = "code_verifier";
069
070    public static final String CODE_CHALLENGE_METHOD_PLAIN = "plain";
071
072    public static final String CODE_CHALLENGE_METHOD_S256 = "S256";
073
074    public static final List<String> CODE_CHALLENGE_METHODS_SUPPORTED = Arrays.asList(CODE_CHALLENGE_METHOD_PLAIN,
075            CODE_CHALLENGE_METHOD_S256);

No assertion Thanks

0 votes