DevHeads.net

JWT could not be decrypted

Hi all,
We receive this error in the log file, "JWT could not be decrypted", and I give details below, we would need a bit of help to figure out the cause of the error.

In my understanding the IdP exposes an http endpoint called jwks where the set of keys and associated encryption types (symmetric or asymettric) and algorithms (e.g. RSA with SHA256).
Then when e.g. the token endpoint responds with some JWT tokens (id, access, refresh), then httpd oidc module tries the keys with algos until one succeeds.

Our jwks endpoint returns:
{
"keys": [
{
"kty": "RSA",
"use": "sig",
"alg": "RS256",
"n": "..",
"e": ".."
}
]
}

All the errors in the log are, in order:

[auth_openidc:error] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1031]

[auth_openidc:error] oidc_authorization_response_match_state: unable to restore state

[auth_openidc:error] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error..

As a side note, we are behind a corporate firewall with basic auth and I configured it with ProxtRemote and sending Authorization Basic header manually on all requests. It seems to be passed over the previous errr (connection timeout) so I think it connects well to IdP.
As another side note, I am doing part of the flow in browser and part of it in curl (because in some requests I need to go through an http proxy, while in others I need to use the proxy, and the browser is forced into proxy usage for security reasons). So there may be some cookies or other things missing, as a potential cause.

Could you help me how to investigate the cause of the error below?
Thank you very much,

Nicolae MARASOIU
Technical Leader

[http://group.renault.com/RCW_BINARIES/signature_renault/EMAIL_LOGOS_Groupe_Renault.png]
DSIRo
API : ROBUCWGD315
Mob. : +40 724746655
www.groupe.renault.com<http://www.groupe.renault.com/>

Ce message ainsi que les eventuelles pieces jointes constituent une correspondance privee et confidentielle a l'attention exclusive du destinataire designe ci-dessus. Si vous n'etes pas le destinataire du present message ou une personne susceptible de pouvoir le lui delivrer, il vous est signifie que toute divulgation, distribution ou copie de cette transmission est strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en informer l'expediteur par telephone ou de lui retourner le present message, puis d'effacer immediatement ce message de votre systeme.

*** This e-mail and any attachments is a confidential correspondence intended only for use of the individual or entity named above. If you are not the intended recipient or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any disclosure, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by phone or by replying this message, and then delete this message from your system.

Comments

Re: JWT could not be decrypted

By Jonathon Koyle at 01/08/2019 - 15:54

Doesn't get use the authorization header? Is it possible that you are
overriding the provided jwt token when you set the header for your basic
auth?

On Tue, Jan 8, 2019, 09:06 MARASOIU Nicolae-dumitru (renexter) <

RE: JWT could not be decrypted

By MARASOIU Nicola... at 01/09/2019 - 03:03

Hi Jonathon and all,
The error is received upon parsing the response from the IdP token endpoint, so I believe that using the single RS256 public key provided by jwks could not be properly used to decrypt the jwt id token or jwt access token, but I will try to verify this hypothesis,
Thank you,
Nicu

Doesn't get use the authorization header? Is it possible that you are overriding the provided jwt token when you set the header for your basic auth?

On Tue, Jan 8, 2019, 09:06 MARASOIU Nicolae-dumitru (renexter) <nicolae-dumitru.marasoiu- ... at renault dot com<mailto:nicolae-dumitru.marasoiu- ... at renault dot com> wrote:
Hi all,
We receive this error in the log file, „JWT could not be decrypted”, and I give details below, we would need a bit of help to figure out the cause of the error.

In my understanding the IdP exposes an http endpoint called jwks where the set of keys and associated encryption types (symmetric or asymettric) and algorithms (e.g. RSA with SHA256).
Then when e.g. the token endpoint responds with some JWT tokens (id, access, refresh), then httpd oidc module tries the keys with algos until one succeeds.

Our jwks endpoint returns:
{
"keys": [
{
"kty": "RSA",
"use": "sig",
"alg": "RS256",
"n": "..",
"e": ".."
}
]
}

All the errors in the log are, in order:

[auth_openidc:error] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1031]

[auth_openidc:error] oidc_authorization_response_match_state: unable to restore state

[auth_openidc:error] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error..

As a side note, we are behind a corporate firewall with basic auth and I configured it with ProxtRemote and sending Authorization Basic header manually on all requests. It seems to be passed over the previous errr (connection timeout) so I think it connects well to IdP.
As another side note, I am doing part of the flow in browser and part of it in curl (because in some requests I need to go through an http proxy, while in others I need to use the proxy, and the browser is forced into proxy usage for security reasons). So there may be some cookies or other things missing, as a potential cause.

Could you help me how to investigate the cause of the error below?
Thank you very much,

Nicolae MARASOIU
Technical Leader

[http://group.renault.com/RCW_BINARIES/signature_renault/EMAIL_LOGOS_Groupe_Renault.png]
DSIRo
API : ROBUCWGD315
Mob. : +40 724746655
www.groupe.renault.com<http://www.groupe.renault.com/>

Ce message ainsi que les eventuelles pieces jointes constituent une correspondance privee et confidentielle a l'attention exclusive du destinataire designe ci-dessus. Si vous n'etes pas le destinataire du present message ou une personne susceptible de pouvoir le lui delivrer, il vous est signifie que toute divulgation, distribution ou copie de cette transmission est strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en informer l'expediteur par telephone ou de lui retourner le present message, puis d'effacer immediatement ce message de votre systeme.

*** This e-mail and any attachments is a confidential correspondence intended only for use of the individual or entity named above. If you are not the intended recipient or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any disclosure, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by phone or by replying this message, and then delete this message from your system.
Ce message ainsi que les eventuelles pieces jointes constituent une correspondance privee et confidentielle a l'attention exclusive du destinataire designe ci-dessus. Si vous n'etes pas le destinataire du present message ou une personne susceptible de pouvoir le lui delivrer, il vous est signifie que toute divulgation, distribution ou copie de cette transmission est strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en informer l'expediteur par telephone ou de lui retourner le present message, puis d'effacer immediatement ce message de votre systeme.

*** This e-mail and any attachments is a confidential correspondence intended only for use of the individual or entity named above. If you are not the intended recipient or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any disclosure, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by phone or by replying this message, and then delete this message from your system.