I'm working in 11.7.2 and have been working with the OAUTH 2.0 samples in the Documents area, and been able to successfully configure Spring security to properly recognize JWT tokens from AWS Cognito, and RS256 tokens created using a node.js webservice. This all works great, and the ABL has access to the JWT token elements using the client principle, and Spring security even does what I want it to do.
Now I'm trying to understand the other side of the equation -- creating OAUTH 2.0 from a client principle. I see there is something called 'STS Authentication Provider', but haven't been able to understand if that really does what I want. Essentially, is there a way to create JWT/RS256 tokens based on a client principle and pass the token back to a client? And if so, is there a "dummies" version of how to get that working with example (like the OAUTH 2.0 samples) that I can get my hands on?
Hi Brian,
Glad to hear that the samples were helpful. We do not have the support for OAuth2/JWT in STS yet. We have plans, but haven't added it yet. Please add this to the Idea's list so that it gets noticed by Product Management.
Hi Brian,
Glad to hear that the samples were helpful. We do not have the support for OAuth2/JWT in STS yet. We have plans, but haven't added it yet. Please add this to the Idea's list so that it gets noticed by Product Management.
Thank you Irfan.
By the way, I never got the first example (HMAC) from the samples to work. Token creation worked, but I ran into 'client princple was not valid' or some such thing. I tried a few times, but really was interested in the public/private key and AWS solutions, so moved on and got those working without much trouble. It was a very helpful document.
If you are interested to see why HMAC is not working, you can provide more details and I can see where and why it is failing.
I'm going to wake this thread up :)
OE11.7.4
Windows 64 bit
I am also using the oAuth 2.0 Samples, and trying to get the JWT tokens to work.
I have a need to open up part of our app through oAuth, and using JWT and oAuth built-in config seemed like a good place to try
I am however getting a Client Principal error.
(Procedure: 'IdmActivate.p' Line:60) client-principal validation failed in Session because - The client-principal was corrupt (16385)
[19/03/05@15:37:49.536+1100] P-020756 T-014156 1 AS-4 LogMgrWrtr [IdmActivate ERROR] Client-Principal cannot be validated
I believe I have followed the instructions as advertised
1) I create the JWT token as requested
2) it seems to pass through spring security OK, when i deliberately mange the token and the values within, it rejects i because of expiration date/missing scop etc
3) Token makes it into Activate procedure
4) At the time it tries to set-client, it fails
lok = SECURITY-POLICY:SET-CLIENT(hCP).
with
client-principal validation failed in Session because - The client-principal was corrupt (16385)
I've printed the contents I can see if the client principal object in activate, and it seems to see all the values correctly
[19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:37) MTR3 AUDIT-EVENT-CONTEXT
[19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:38) MTR3 CLIENT-TTY
[19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:39) MTR3 CLIENT-WORKSTATION
[19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:40) MTR3 DB-LIST ?
[19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:41) MTR3 DOMAIN-DESCRIPTION OE application:
[19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:42) MTR3 DOMAIN-NAME JWTdomain
[19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:43) MTR3 DOMAIN-TYPE OEApplication
[19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:44) MTR3 HANDLE 1082
[19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:45) MTR3 INSTANTIATING-PROCEDURE 1061
[19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:46) MTR3 LOGIN-EXPIRATION-TIMESTAMP 06/03/2019 04:25:14.000+11:00
[19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:47) MTR3 LOGIN-HOST
[19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:48) MTR3 LOGIN-STATE SSO
[19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:50) MTR3 QUALIFIED-USER-ID 7965bba4-b65d-4212-adc7-6bd27eff180e@JWTdomain
[19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:51) MTR3 ROLES scope.PSCUser
[19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:52) MTR3 SEAL-TIMESTAMP 05/03/2019 16:32:41.000+11:00
[19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:53) MTR3 SESSION-ID 0
[19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:54) MTR3 STATE-DETAIL The CLIENT-PRINCIPAL object credentials were validated by an external system
[19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:55) MTR3 TYPE CLIENT-PRINCIPAL
[19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:56) MTR3 USER-ID 7965bba4-b65d-4212-adc7-6bd27eff180e
[19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:58) MTR3 property-names aud,token_use,iss,token_type,jti,email,client_id,username
[19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:65) MTR3 values pasoe.openedge.progress-users.com,access,nodejsJWT,bearer,random,isyed@progress.com,123456789,isyed
[19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:67) client-principal validation failed in Session because - The client-principal was corrupt (16385)
How can I debug the corrupt messag above and see what is causing the corruption?
NOTE: I have added DEBUG logging in PAS for the ClientPrincipal, and got the following
16:32:41.274/26544 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - OEClientPrincipleFilter processing token of type: 'org.springframework.security.oauth2.provider.OAuth2Authentication
16:32:41.281/26551 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - Substituting OEAuthenticationToken for authenticated token: 'org.springframework.security.oauth2.provider.OAuth2Authentication@8ccb3c1a: Principal: 7965bba4-b65d-4212-adc7-6bd27eff180e; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenType=bearertokenValue=<TOKEN>; Granted Authorities: scope.PSCUser'
16:32:41.285/26555 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - Creating Domain Registry: 'com.progress.auth.OEDefaultRegistry'
16:32:41.295/26565 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - Loading Domain Registry: 'com.progress.auth.OEDefaultRegistry'
16:32:41.335/26605 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - Converting Spring token to OEAuthenticationToken: 'org.springframework.security.oauth2.provider.OAuth2Authentication@8ccb3c1a: Principal: 7965bba4-b65d-4212-adc7-6bd27eff180e; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenType=bearertokenValue=<TOKEN>; Granted Authorities: scope.PSCUser'
16:32:41.352/26622 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - replaceToken: using non-qualified userName 7965bba4-b65d-4212-adc7-6bd27eff180e
16:32:41.353/26623 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - replaceToken: applying property derived domain: JWTdomain
16:32:41.353/26623 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Set session-id with JTI claim: 0
16:32:41.356/26626 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Set expiration with UTC EXP claim: java.util.GregorianCalendar[time=1551806714000,areFieldsSet=true,areAllFieldsSet=true,lenient=true,zone=sun.util.calendar.ZoneInfo[id="Australia/Sydney",offset=36000000,dstSavings=3600000,useDaylight=true,transitions=142,lastRule=java.util.SimpleTimeZone[id=Australia/Sydney,offset=36000000,dstSavings=3600000,useDaylight=true,startYear=0,startMode=3,startMonth=9,startDay=1,startDayOfWeek=1,startTime=7200000,startTimeMode=1,endMode=3,endMonth=3,endDay=1,endDayOfWeek=1,endTime=7200000,endTimeMode=1]],firstDayOfWeek=1,minimalDaysInFirstWeek=1,ERA=1,YEAR=2019,MONTH=2,WEEK_OF_YEAR=10,WEEK_OF_MONTH=2,DAY_OF_MONTH=6,DAY_OF_YEAR=65,DAY_OF_WEEK=4,DAY_OF_WEEK_IN_MONTH=1,AM_PM=0,HOUR=4,HOUR_OF_DAY=4,MINUTE=25,SECOND=14,MILLISECOND=0,ZONE_OFFSET=36000000,DST_OFFSET=3600000]
16:32:41.356/26626 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Generating ClientPrincipal token: 7965bba4-b65d-4212-adc7-6bd27eff180e@JWTdomain ; 0
16:32:41.358/26628 [thd-1] WARN c.p.a.s.s.OEAuthenticationTokenConverter - Could not map JWT claim iat of an unknown data type
16:32:41.358/26628 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal static properties...
16:32:41.358/26628 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property aud with value: pasoe.openedge.progress-users.com
16:32:41.359/26629 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property token_use with value: access
16:32:41.359/26629 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property iss with value: https://nodejsJWT
16:32:41.359/26629 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property token_type with value: bearer
16:32:41.360/26630 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Found null value for property iat
16:32:41.360/26630 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property jti with value: random
16:32:41.360/26630 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property email with value: isyed@progress.com
16:32:41.360/26630 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property client_id with value: 123456789
16:32:41.360/26630 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property username with value: isyed
16:32:41.363/26633 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal static properties...
16:32:41.363/26633 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Loading Spring authorities ...
16:32:41.364/26634 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Loading Spring authority : scope.PSCUser
16:32:41.365/26635 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal roles: scope.PSCUser
16:32:41.366/26636 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Sealing ClientPrincipal token (K)
16:32:41.369/26639 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Cloning Spring token with ClientPrincipal
16:32:41.370/26640 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - Replaced SecurityContextHolder with OEAuthenticationToken: from 'org.springframework.security.oauth2.provider.OAuth2Authentication@8ccb3c1a: Principal: 7965bba4-b65d-4212-adc7-6bd27eff180e; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenType=bearertokenValue=<TOKEN>; Granted Authorities: scope.PSCUser'
16:32:41.370/26640 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - OpenEdge CCID header not enabled
NOTE: it does not like iat, but I believe iat is a required part of the JWT, and appears with the correct value in the agent log
Thanks
Mark
Hi Mark,
The only reason the Client-Principal gets corrupted is if the domain access codes do not match. Check if the domain access codes using in Spring Security and in ABL where you validate the seal are the same.
Thanks for the reply Irfan,
I tried a bunch of things with changing the passwords in oauth2reg.csv, domains.json and oeablSecurity.properties with the sample, and got the same response.
I reverted to the standard config files from the sa ple and resatrted, still with the same problem.
I am only using the JWTdomain for my testing, so reduced the oauth2reg.csv and domains.json to one domain (JWTdomain) with a different password, and it worked.
I then changed it to a new domain, new password, reconfigured,, and it worked.
I'm not sure what was causing the issues, there must have been a difference in the passwords for the domain, but I could not see it.
But, by removing the extra moving parts, and getting it down to one domain, one password it worked for me.
Thanks
Mark.