Message Boards
Signed JWT rejected: Another algorithm expected, or no matching key(s) ?
Signed JWT rejected: Another algorithm expected, or no matching key(s) ?
New Member Posts: 3 Join Date: 6/21/21 Recent PostsI am trying to implement OpenIdConnect authentication flow with Auth0 as my provider. My Provider instance is set to encrypt using RS256 - and also my Liferay installation has been set to use RS256, both in my system and installation settings. I have filled out all the relevant information regarding endpoints in the Liferay settings pages - and I believe those to be accurate. But the DefaultJWTProcessor class in the Nimbus library still expects the HS256 algorithm for some reason? How do I fix it?
com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected:
Another algorithm expected, or no matching key(s) found
at
com.nimbusds.jwt.proc.DefaultJWTProcessor.<clinit>(DefaultJWTProcessor.java:99)
at
com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:285)
at
com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:224)
at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.validateToken(OpenIdConnectServiceHandlerImpl.java:645)
Thanks in advance :)
RE: Signed JWT rejected: Another algorithm expected, or no matching key(s)
New Member Posts: 7 Join Date: 6/1/12 Recent PostsHi, did you manage to get any solution for that?
RE: Signed JWT rejected: Another algorithm expected, or no matching key(s)
New Member Posts: 8 Join Date: 7/11/12 Recent PostsThis is a bug in Liferay's source that is causing it to not work with auth0. Auth0 supports two JWT algorithms, HS256 and RS256. They are returned in that order, as the supporting algorithms [ HS256, RS256 ].
Liferay 7.3 does not support HS256, only RS256. However, the openid module does not handle the list of supported algorithms propertly. The code takes the first one in the list, HS256 in this case. What it should do is loop through the list looking for a supported algorithm and then select it.
This is the file with the problem:
portal-security-sso/portal-security-sso-openid-connect-impl/src/main/java/com/liferay/portal/security/sso/openid/connect/internal/OpenIdConnectMetadataFactoryImpl.java
Line 232:
if (ListUtil.isNotEmpty(jwsAlgorithms)) {
_oidcClientMetadata.setIDTokenJWSAlg(jwsAlgorithms.get(1));
}
In an ext module we changed 0 to 1, so it would select RS256 in the list of [ HS256, RS256 ].
The best solution is if on line 226 and 233 you looped through looking for supported algorithms instead of hardcoding 0, for the first item in the list. Hopefully Liferay can fix the code to not hardcode 0.
RE: Signed JWT rejected: Another algorithm expected, or no matching key(s)
New Member Posts: 4 Join Date: 8/30/16 Recent PostsThis issue was added to jira:
https://issues.liferay.com/browse/LPS-138756
Thanks for reporting @Susie AB and thanks for the investigation @Cameron McBride