Error message: client-principal validation failed in Session

Posted by wvdgraaf on 13-Nov-2018 08:30

Next try for the same question in another group.... OpenEdge PASOE version 11.7.4

I try to follow the steps in the https://community.progress.com/community_groups/openedge_development/m/documents/3396/download document.

But whenever I try to issue the command: hCP = session:current-request-info:GetClientPrincipal(). I get the error message: client-principal validation failed in Session because - The client-principal was corrupt (16385)

oeablSecurity.properties contents:

## login model

client.login.model=oauth2

## The clear-text key value is 'JWTkey'. The encrypted value is generated using 'genpassword'
OEClientPrincipalFilter.domain=JWTdomain
OEClientPrincipalFilter.key=oech1::1a051b0c373c
OEClientPrincipalFilter.registryFile=oauth2reg.bin

## JWT token handler properties for jwtAuthFilter & oauth2.resSvc..
jwtToken.signatureAlg=HS256
jwtToken.macKey=oeph0::76E5F6C162276768465F02E4D2D1DDCD
jwtToken.keystore.type=mac

## OAuth2 Resource server configuration
oauth2.resSvc.audience=openedge.sample
oauth2.resSvc.tokenServices=jwt

The token is generated using website JWT.IO

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI3OTY1YmJhNC1iNjVkLTQyMTItYWRjNy02YmQyN2VmZjE4MGUiLCJ0b2tlbl91c2UiOiJhY2Nlc3MiLCJzY29wZSI6IlBTQ1VzZXIiLCJpc3MiOiJodHRwczovL25vZGVqc0pXVCIsImNsaWVudF9pZCI6IjEyMzQ1Njc4OSIsImlhdCI6MTUwOTIxMDIyOSwiZXhwIjoyNzA5MjEwMjU5LCJqdGkiOiI1aGwwdHo1NTQwZzg0Z2djc2trZ29zY28wMDBjY3MiLCJhdWQiOiJvcGVuZWRnZS5zYW1wbGUifQ.2CjfUEjOJ3cZq5QjXWLBXLnlKhgHsuhRBOzYG1gtZiw

signed as in the example with "password" which is also configured in jwtToken.macKey

Changing anything in the token will result in error messages that the token cannot be converted to json, so I conclude that Progress is able to convert the token to a json string. But still as soon as I try to acces GetClientPrincipal(). I get the message that the client-principal was corrupt.

So I'm still not able to use oauth2/jwt authorization in our application, which is a requirement! The front-end makes use of a SSO authorization server that provides me with a token. When I 'm not able to use that token, our application will be seen as insecure and not accepted by the product-owner.

OpenEdge Development - Forum
Posted by Irfan on 13-Nov-2018 15:12

BTW, the original example works for me. I just needed to change to remove the OEClientPrincipalFilter.key and use only OEClientPrincipalFilter.registryFile and it works perfectly fine.

## login model

client.login.model=oauth2

## The clear-text key value is 'JWTkey'. The encrypted value is generated using 'genpassword'

OEClientPrincipalFilter.domain=JWTdomain

OEClientPrincipalFilter.registryFile=domreg.bin

## JWT token handler properties for jwtAuthFilter & oauth2.resSvc..

jwtToken.signatureAlg=HS256

jwtToken.macKey=oeph0::76E5F6C162276768465F02E4D2D1DDCD

jwtToken.keystore.type=mac

jwtToken.mapScopeToRole=true

jwtToken.scopeToRolePrefix=scope.

jwtToken.includeAllClaims=true

jwtToken.scopeNameField=scope

## OAuth2 Resource server configuration

oauth2.resSvc.audience=pasoe.openedge.progress-users.com

oauth2.resSvc.tokenServices=jwt

All Replies

Posted by Irfan on 13-Nov-2018 11:27

I am looking into it, will let you know why it is failing.

Posted by Irfan on 13-Nov-2018 12:18

The problem seems to be with SECURITY-POLICY:SET-CLIENT(hCP). I need to see why it is failing, but for now to validate your CP, please replace that with the below code

hCP:validate-seal(<domain-access-code>) where <domain-access-code> is the one you used for sealing the CP. Let me know if that works.

Posted by wvdgraaf on 13-Nov-2018 12:44

So I tried (from the example):

hCP:validate-seal("1a051b2c373c").

hCP:validate-seal("JWTkey").

For both statements I get an error: CLIENT-PRINCIPAL:VALIDATE-SEAL failed because keys do not match (14541)

This is part of my log from idmstartup.p:

13/11/2018 13:40:20,173+01:00 loaded domain JWTdomain

13/11/2018 13:40:20,178+01:00 loaded key 1a051b2c373c

13/11/2018 13:40:20,186+01:00 loaded domain Google

13/11/2018 13:40:20,193+01:00 loaded key 373d20203e20383629

13/11/2018 13:40:20,200+01:00 loaded domain AWSDomain

13/11/2018 13:40:20,206+01:00 loaded key 11051c2c373c

Posted by Irfan on 13-Nov-2018 14:21

I tried this and it worked.

lok = hCP:validate-seal("oech1::1a051b0c373c").

This is my full acitvate.p

USING OpenEdge.Logging.ILogWriter FROM PROPATH.

USING OpenEdge.Logging.LoggerBuilder FROM PROPATH.

/* ********************  Preprocessor Definitions  ******************** */

/* ***************************  Main Block  *************************** */

define variable hCP      as handle     no-undo.

define variable cReqName as char       no-undo.

DEFINE VARIABLE logger   AS ILogWriter NO-UNDO.

def    var      lok      as logical    no-undo.

logger = LoggerBuilder:GetLogger(THIS-PROCEDURE).

cReqName = session:current-request-info:procedureName.

hCP = session:current-request-info:GetClientPrincipal().

lok = hCP:validate-seal("oech1::1a051b0c373c").

//lok = SECURITY-POLICY:SET-CLIENT(hCP).

if (lok) then

do:

   logger:Info('Client-Principal validation successful').

   run dumpCP.p (hCP,cReqName).

end.

else

do:

   logger:Error('Client-Principal cannot be validated').

   return error.

end.

CATCH e AS Progress.Lang.Error :

   define variable iLoop as integer no-undo.

   do iLoop = 1 to e:NumMessages:

       logger:Error(e:GetMessage(iLoop)).

   end.

END CATCH.

FINALLY:

   delete object hCP.

END FINALLY.

Posted by wvdgraaf on 13-Nov-2018 14:36

With a little help from a colleague, I changed idmstartup.p to omit the oech1:: string while reading the domains.json file and add the oech1:: string in the domains.json file. So apparently there's a small bug in this program that causes a corrupt key value in the security registration.

hCP:validate-seal("oech1::1a051b2c373c"). will now be executed correctly.

Also a small bug-fix in dumpCP.p.

     if ( p_hCP:qualified-user-id = "") OR ( p_hCP:qualified-user-id = ?) then

         message "    ID:         '" + p_hCP:qualified-user-id + "'".

This will of course never give you a userid. So I changed it into

     if ( p_hCP:qualified-user-id <> "") AND ( p_hCP:qualified-user-id <> ?) then

         message "    ID:         '" + p_hCP:qualified-user-id + "'".

Only problem is that I don't want to use a key-value in my code! So the use of the validate-seal method is not desired.

I still want to use SECURITY-POLICY:SET-CLIENT(hCP).

Should it be reported as a Progress Bug?

Posted by Irfan on 13-Nov-2018 14:45

There are multiple ways of validating the ClientPrincipal. The one I followed is much secure but for some reason it is failing so have to see why it is doing so.

You can also use validate-seal without providing the key if the registries are already loaded and locked. The one that you are trying right now is just to verify that things are working as expected. I will let you know why the default one is the document is not working and if it is bug somewhere.

Glad that your roundtrip is working fine now.

Posted by Irfan on 13-Nov-2018 15:12

BTW, the original example works for me. I just needed to change to remove the OEClientPrincipalFilter.key and use only OEClientPrincipalFilter.registryFile and it works perfectly fine.

## login model

client.login.model=oauth2

## The clear-text key value is 'JWTkey'. The encrypted value is generated using 'genpassword'

OEClientPrincipalFilter.domain=JWTdomain

OEClientPrincipalFilter.registryFile=domreg.bin

## JWT token handler properties for jwtAuthFilter & oauth2.resSvc..

jwtToken.signatureAlg=HS256

jwtToken.macKey=oeph0::76E5F6C162276768465F02E4D2D1DDCD

jwtToken.keystore.type=mac

jwtToken.mapScopeToRole=true

jwtToken.scopeToRolePrefix=scope.

jwtToken.includeAllClaims=true

jwtToken.scopeNameField=scope

## OAuth2 Resource server configuration

oauth2.resSvc.audience=pasoe.openedge.progress-users.com

oauth2.resSvc.tokenServices=jwt

This thread is closed