Requesting-an-access-token-with-a-jwt - SOLVED
Hi people,
According Oauth2 FLOW https://doc.nuxeo.com/nxdoc/using-oauth2/#requesting-an-access-token-with-a-jwt, I tried to get access token by testing Access Token with a JWT with my Postman but I have some exceptions server side. Here How I declared Oauth2 client serveur side :
Here is My Postman
Here is the server logs
2019-04-05T12:14:44,334 ERROR [https-jsse-nio-0.0.0.0-8443-exec-3] [nuxeo-error-log] javax.servlet.ServletException: java.lang.NullPointerException
at org.nuxeo.ecm.platform.web.common.requestcontroller.filter.NuxeoRequestControllerFilter.doFilter(NuxeoRequestControllerFilter.java:145)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:209)
at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:244)
Caused by: java.lang.NullPointerException
at org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet.doPostToken(NuxeoOAuth2Servlet.java:358)
at org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet.doPost(NuxeoOAuth2Servlet.java:121)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
Thanks for help
/** @since 11.1 */
public static final String ASSERTION_PARAM = "assertion";
/** @since 11.1 */
public static final String JWT_BEARER_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";
It's a confirmation that the jwt grant_type does not exist in 10.10 or HF02 ?
Please read my previous comment below:
So your token seems to be invalid. Can you enable TRACE
log on JWTServiceImpl
in order to have the reason of verification failure?
Log4j2 config:
...
<Logger name="org.nuxeo.ecm.jwt.JWTServiceImpl" level="trace" />
...
Here is TRACE
of JWTServiceImpl
:
2019-04-05T15:03:57,720 TRACE [https-jsse-nio-0.0.0.0-8443-exec-2] [org.nuxeo.ecm.jwt.JWTServiceImpl] token verification failed: com.auth0.jwt.exceptions.AlgorithmMismatchException: The provided Algorithm doesn't match the one defined in the JWT's Header.
Note: the JWT issuer might be nuxeo
https://jwt.io/ might help
HS256
Algorithm and shared secret base64 encoded
, see in https://jwt.io/, I generate the JWT in my main API REST and want to use the same with nuxeo.HmacSHA512
algorithm (HS512
) to generate and verify tokens, you need to generate a JWT token with this algorithm and the nuxeo
issuer in the claim (iss
).nuxeo.conf
like nuxeo.jwt.alg = HS256 | HS384 | HS512
I use in my main API HS512 as JWT algorithm provider, but when I use it postman to test oauth2 jwt authentication, I have this exception nuxeo side : `2019-04-15T13:50:01,575 TRACE [https-jsse-nio-0.0.0.0-8443-exec-9] [org.nuxeo.ecm.jwt.JWTServiceImpl] token verification failed: com.auth0.jwt.exceptions.SignatureVerificationException: The Token's Signature resulted invalid when verified using the Algorithm: HmacSHA512 … Caused by: java.lang.NullPointerException
at org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet.doPostToken(NuxeoOAuth2Servlet.java:358)
at org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet.doPost(NuxeoOAuth2Servlet.java:121)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)`.
Nuxeo not read my nuxeo.jwt.secret
parameter ? For information, I use library io.jsonwebtoken:jjwt
to create my JWT
Thanks for help
I changed my JWT lib for com.auth0.jwt
use by nuxeo and I get this error : 2019-04-15T15:58:29,821 TRACE [https-jsse-nio-0.0.0.0-8443-exec-1] [org.nuxeo.ecm.jwt.JWTServiceImpl] token verification failed: com.auth0.jwt.exceptions.InvalidClaimException: The Claim 'iss' value doesn't match the required one..
Why Issuer is required nuxeo side ?
Thanks
nuxeo
one.Have you an information about the solution the nuxeo issuer problem in JWT ? => https://jira.nuxeo.com/browse/NXP-27236
We passed a year and I see nothing on jira ticket.
Thanks
Hi Kevin Leturc , I have this parameter in my nuxeo.conf
nuxeo.jwt.secret=OTQ5YTI3MmI0ZDBmNGV.....
, So I don't understand why nuxeo not read it ?
Thanks
Ok, So your token seems to be invalid. Can you enable TRACE
log on JWTServiceImpl
in order to have the reason of verification failure?
Log4j2 config:
...
<Logger name="org.nuxeo.ecm.jwt.JWTServiceImpl" level="trace" />
...
Hello,
I saw on your screenhost that the exception came from [here](https://github.com/nuxeo/nuxeo/blob/10.10/nuxeo-features/nuxeo-platform-oauth/src/main/java/org/nuxeo/ecm/platform/oauth2/NuxeoOAuth2Servlet.java#L358 which means that either you don't have set the jwt secret (nuxeo.jwt.secret
in nuxeo.conf) or your token is not valid.
I created NXP-27175 to improve error handling.
Hi,
When in my postman I delete parameter grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer'
, I get server side this exception : 2019-04-05T14:11:35,871 WARN [https-jsse-nio-0.0.0.0-8443-exec-7] [org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet] OAuth2 token request error: OAuth2Error(id=unsupported_grant_type, description=Unknown grant_type: got "null", expecting "authorization_code" or "refresh_token".)
It seems that this type of grant_type urn:ietf:params:oauth:grant-type:jwt-bearer
describe in this https://doc.nuxeo.com/nxdoc/using-oauth2/#requesting-an-access-token-with-a-jwt is not supported in nuxeo 10.10 or not implement yet ? I see in code package org.nuxeo.ecm.platform.oauth2
theses constants
public static final String TOKEN_SERVICE = "org.nuxeo.server.token.store";
036
037 public static final String RESPONSE_TYPE_PARAM = "response_type";
038
039 public static final String CODE_RESPONSE_TYPE = "code";
040
041 public static final String SCOPE_PARAM = "scope";
042
043 public static final String STATE_PARAM = "state";
044
045 public static final String CLIENT_ID_PARAM = "client_id";
046
047 public static final String CLIENT_SECRET_PARAM = "client_secret";
048
049 public static final String REDIRECT_URI_PARAM = "redirect_uri";
050
051 public static final String REDIRECT_URL_PARAM = "redirect_url";
052
053 public static final String AUTHORIZATION_CODE_PARAM = "code";
054
055 public static final String REFRESH_TOKEN_PARAM = "refresh_token";
056
057 public static final String GRANT_TYPE_PARAM = "grant_type";
058
059 public static final String AUTHORIZATION_CODE_GRANT_TYPE = "authorization_code";
060
061 public static final String REFRESH_TOKEN_GRANT_TYPE = "refresh_token";
062
063 /** --------------------------- PKCE --------------------------- */
064 public static final String CODE_CHALLENGE_PARAM = "code_challenge";
065
066 public static final String CODE_CHALLENGE_METHOD_PARAM = "code_challenge_method";
067
068 public static final String CODE_VERIFIER_PARAM = "code_verifier";
069
070 public static final String CODE_CHALLENGE_METHOD_PLAIN = "plain";
071
072 public static final String CODE_CHALLENGE_METHOD_S256 = "S256";
073
074 public static final List<String> CODE_CHALLENGE_METHODS_SUPPORTED = Arrays.asList(CODE_CHALLENGE_METHOD_PLAIN,
075 CODE_CHALLENGE_METHOD_S256);
No assertion
Thanks