Next try for the same question in another group.... OpenEdge PASOE version 11.7.4
I try to follow the steps in the https://community.progress.com/community_groups/openedge_development/m/documents/3396/download document.
But whenever I try to issue the command: hCP = session:current-request-info:GetClientPrincipal(). I get the error message: client-principal validation failed in Session because - The client-principal was corrupt (16385)
oeablSecurity.properties contents:
## login model
client.login.model=oauth2
## The clear-text key value is 'JWTkey'. The encrypted value is generated using 'genpassword'
OEClientPrincipalFilter.domain=JWTdomain
OEClientPrincipalFilter.key=oech1::1a051b0c373c
OEClientPrincipalFilter.registryFile=oauth2reg.bin
## JWT token handler properties for jwtAuthFilter & oauth2.resSvc..
jwtToken.signatureAlg=HS256
jwtToken.macKey=oeph0::76E5F6C162276768465F02E4D2D1DDCD
jwtToken.keystore.type=mac
## OAuth2 Resource server configuration
oauth2.resSvc.audience=openedge.sample
oauth2.resSvc.tokenServices=jwt
The token is generated using website JWT.IO
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI3OTY1YmJhNC1iNjVkLTQyMTItYWRjNy02YmQyN2VmZjE4MGUiLCJ0b2tlbl91c2UiOiJhY2Nlc3MiLCJzY29wZSI6IlBTQ1VzZXIiLCJpc3MiOiJodHRwczovL25vZGVqc0pXVCIsImNsaWVudF9pZCI6IjEyMzQ1Njc4OSIsImlhdCI6MTUwOTIxMDIyOSwiZXhwIjoyNzA5MjEwMjU5LCJqdGkiOiI1aGwwdHo1NTQwZzg0Z2djc2trZ29zY28wMDBjY3MiLCJhdWQiOiJvcGVuZWRnZS5zYW1wbGUifQ.2CjfUEjOJ3cZq5QjXWLBXLnlKhgHsuhRBOzYG1gtZiw
signed as in the example with "password" which is also configured in jwtToken.macKey
Changing anything in the token will result in error messages that the token cannot be converted to json, so I conclude that Progress is able to convert the token to a json string. But still as soon as I try to acces GetClientPrincipal(). I get the message that the client-principal was corrupt.
So I'm still not able to use oauth2/jwt authorization in our application, which is a requirement! The front-end makes use of a SSO authorization server that provides me with a token. When I 'm not able to use that token, our application will be seen as insecure and not accepted by the product-owner.
BTW, the original example works for me. I just needed to change to remove the OEClientPrincipalFilter.key and use only OEClientPrincipalFilter.registryFile and it works perfectly fine.
## login model
client.login.model=oauth2
## The clear-text key value is 'JWTkey'. The encrypted value is generated using 'genpassword'
OEClientPrincipalFilter.domain=JWTdomain
OEClientPrincipalFilter.registryFile=domreg.bin
## JWT token handler properties for jwtAuthFilter & oauth2.resSvc..
jwtToken.signatureAlg=HS256
jwtToken.macKey=oeph0::76E5F6C162276768465F02E4D2D1DDCD
jwtToken.keystore.type=mac
jwtToken.mapScopeToRole=true
jwtToken.scopeToRolePrefix=scope.
jwtToken.includeAllClaims=true
jwtToken.scopeNameField=scope
## OAuth2 Resource server configuration
oauth2.resSvc.audience=pasoe.openedge.progress-users.com
oauth2.resSvc.tokenServices=jwt
I am looking into it, will let you know why it is failing.
The problem seems to be with SECURITY-POLICY:SET-CLIENT(hCP). I need to see why it is failing, but for now to validate your CP, please replace that with the below code
hCP:validate-seal(<domain-access-code>) where <domain-access-code> is the one you used for sealing the CP. Let me know if that works.
So I tried (from the example):
hCP:validate-seal("1a051b2c373c").
hCP:validate-seal("JWTkey").
For both statements I get an error: CLIENT-PRINCIPAL:VALIDATE-SEAL failed because keys do not match (14541)
This is part of my log from idmstartup.p:
13/11/2018 13:40:20,173+01:00 loaded domain JWTdomain
13/11/2018 13:40:20,178+01:00 loaded key 1a051b2c373c
13/11/2018 13:40:20,186+01:00 loaded domain Google
13/11/2018 13:40:20,193+01:00 loaded key 373d20203e20383629
13/11/2018 13:40:20,200+01:00 loaded domain AWSDomain
13/11/2018 13:40:20,206+01:00 loaded key 11051c2c373c
I tried this and it worked.
lok = hCP:validate-seal("oech1::1a051b0c373c").
This is my full acitvate.p
USING OpenEdge.Logging.ILogWriter FROM PROPATH.
USING OpenEdge.Logging.LoggerBuilder FROM PROPATH.
/* ******************** Preprocessor Definitions ******************** */
/* *************************** Main Block *************************** */
define variable hCP as handle no-undo.
define variable cReqName as char no-undo.
DEFINE VARIABLE logger AS ILogWriter NO-UNDO.
def var lok as logical no-undo.
logger = LoggerBuilder:GetLogger(THIS-PROCEDURE).
cReqName = session:current-request-info:procedureName.
hCP = session:current-request-info:GetClientPrincipal().
lok = hCP:validate-seal("oech1::1a051b0c373c").
//lok = SECURITY-POLICY:SET-CLIENT(hCP).
if (lok) then
do:
logger:Info('Client-Principal validation successful').
run dumpCP.p (hCP,cReqName).
end.
else
do:
logger:Error('Client-Principal cannot be validated').
return error.
end.
CATCH e AS Progress.Lang.Error :
define variable iLoop as integer no-undo.
do iLoop = 1 to e:NumMessages:
logger:Error(e:GetMessage(iLoop)).
end.
END CATCH.
FINALLY:
delete object hCP.
END FINALLY.
With a little help from a colleague, I changed idmstartup.p to omit the oech1:: string while reading the domains.json file and add the oech1:: string in the domains.json file. So apparently there's a small bug in this program that causes a corrupt key value in the security registration.
hCP:validate-seal("oech1::1a051b2c373c"). will now be executed correctly.
Also a small bug-fix in dumpCP.p.
if ( p_hCP:qualified-user-id = "") OR ( p_hCP:qualified-user-id = ?) then
message " ID: '" + p_hCP:qualified-user-id + "'".
This will of course never give you a userid. So I changed it into
if ( p_hCP:qualified-user-id <> "") AND ( p_hCP:qualified-user-id <> ?) then
message " ID: '" + p_hCP:qualified-user-id + "'".
Only problem is that I don't want to use a key-value in my code! So the use of the validate-seal method is not desired.
I still want to use SECURITY-POLICY:SET-CLIENT(hCP).
Should it be reported as a Progress Bug?
There are multiple ways of validating the ClientPrincipal. The one I followed is much secure but for some reason it is failing so have to see why it is doing so.
You can also use validate-seal without providing the key if the registries are already loaded and locked. The one that you are trying right now is just to verify that things are working as expected. I will let you know why the default one is the document is not working and if it is bug somewhere.
Glad that your roundtrip is working fine now.
BTW, the original example works for me. I just needed to change to remove the OEClientPrincipalFilter.key and use only OEClientPrincipalFilter.registryFile and it works perfectly fine.
## login model
client.login.model=oauth2
## The clear-text key value is 'JWTkey'. The encrypted value is generated using 'genpassword'
OEClientPrincipalFilter.domain=JWTdomain
OEClientPrincipalFilter.registryFile=domreg.bin
## JWT token handler properties for jwtAuthFilter & oauth2.resSvc..
jwtToken.signatureAlg=HS256
jwtToken.macKey=oeph0::76E5F6C162276768465F02E4D2D1DDCD
jwtToken.keystore.type=mac
jwtToken.mapScopeToRole=true
jwtToken.scopeToRolePrefix=scope.
jwtToken.includeAllClaims=true
jwtToken.scopeNameField=scope
## OAuth2 Resource server configuration
oauth2.resSvc.audience=pasoe.openedge.progress-users.com
oauth2.resSvc.tokenServices=jwt