1. Home
  2. Portal
  3. RE: Id token encryption problem with OpenID Connect identity provider

RE: Id token encryption problem with OpenID Connect identity provider

Teddy Kossoko, modified 6 Years ago.
Id token encryption problem with OpenID Connect identity provider
Junior Member Posts: 42 Join Date: 3/5/18 Recent Posts

Hello,

I'm trying to use Gluu as a OpenID Connect identity provider for Liferay. I ran into the following error: "Caused by: com.nimbusds.oauth2.sdk.GeneralException: Missing required ID token JWE encryption method for RSA1_5". It leads me to believe that Liferay is expecting the id token to be encrypted although it's not required by the OpenID Connect standard. I tried different encryption algorithms settings inside of Gluu. But it seems like I need a Liferay plublic encryption key (JWKS) or the URI where those keys can be accessed (JWKS URI) because without it I'm getting another error "NullPointerException: null".

Thanks for the help.

Teddy Kossoko, modified 6 Years ago.
RE: Id token encryption problem with OpenID Connect identity provider
Junior Member Posts: 42 Join Date: 3/5/18 Recent Posts
Please, could you help me ?
thumbnail
David Bougearel, modified 6 Years ago.
RE: Id token encryption problem with OpenID Connect identity provider
Junior Member Posts: 54 Join Date: 6/30/16 Recent Posts

Hi Teddy,

 

The message given came from the nimbusds library where the OIDCClientInformation given by liferay do not provide the IDTokenJWEEnc expected.

In order to be able to make it working, you need to address two points : override the OpenIdConnectMetadataFactory to add the IDTokenJWEEnc when the OIDCClientMetadata is build and second point, you need to override the OpenIDConnect configuration to be able to add this new parameter from the UI.

 

Best regards,

David.

thumbnail
Jack Bakker, modified 5 Years ago.
RE: Id token encryption problem with OpenID Connect identity provider
Liferay Master Posts: 978 Join Date: 1/3/10 Recent Posts
I am also seeing this issue when trying to configure Liferay v7.2.1 as OIDC client to Apereo CAS v6.1 as OIDC provider. "Unable to instantiate token validator: Missing required ID token JWE encryption method for RSA1_5". In Apereo CAS, there is a service config for "encryptIdToken": false, but this doesn't make a difference to Liferay. 
thumbnail
Tomas Polesovsky, modified 5 Years ago.
RE: Id token encryption problem with OpenID Connect identity provider
Liferay Master Posts: 677 Join Date: 2/13/09 Recent Posts
I believe JWE is not supported on Liferay side yet. Only JWS.