Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JARM FAPI Test Failed: fapi1-advanced-final-ensure-request-object-signature-algorithm-is-not-none #310

Closed
HemantKMehta opened this issue Nov 30, 2021 · 1 comment
Labels
comp-jans-auth-server Component affected by issue or PR effort-2 Relative effort required for completion of issue or PR kind-enhancement Issue or PR is an enhancement to an existing functionality priority-4 Minor issue or PR is not relevant to core functions, or relates to the usability of system triaged Issue or PR is fully triaged

Comments

@HemantKMehta
Copy link
Contributor

fapi1-advanced-final-ensure-request-object-signature-algorithm-is-not-none: https://www.certification.openid.net/log-detail.html?log=CTASTrHrHeRsAvk&public=true

Expected Result:
This test should end with the authorization server showing an error message that the request object is invalid (a screenshot of which should be uploaded) or with the user being redirected back to the conformance suite with a correct error response.

Actual Result:
This test also fails with ExtractJARMFromURLQuery: Couldn't find response in callback_query_params. When I see the logs it says nbf is null as:

2021-11-24 09:55:56,323 ERROR [qtp6519275-52] [jans.as.server.model.authorize.JwtAuthorizationRequest] (JwtAuthorizationRequest.java:542) - nbf claim is not set, nbf: null
2021-11-24 09:55:56,323 DEBUG [qtp6519275-52] [as.server.authorize.ws.rs.AuthorizeRestWebServiceImpl] (AuthorizeRestWebServiceImpl.java:821) - Invalid JWT authorization request. nbf claim is not set
2021-11-24 09:55:56,323 DEBUG [qtp6519275-52] [io.jans.as.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:76) - Looking for the error with id: invalid_request
2021-11-24 09:55:56,324 DEBUG [qtp6519275-52] [io.jans.as.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:81) - Found error, id: invalid_request
2021-11-24 09:55:56,324 ERROR [qtp6519275-52] [as.server.authorize.ws.rs.AuthorizeRestWebServiceImpl] (AuthorizeRestWebServiceImpl.java:777) - HTTP 302 Found
javax.ws.rs.WebApplicationException: HTTP 302 Found
	at io.jans.as.server.authorize.ws.rs.AuthorizeRestWebServiceImpl.validateJwtRequest(AuthorizeRestWebServiceImpl.java:824) ~[classes/:?]
	at io.jans.as.server.authorize.ws.rs.AuthorizeRestWebServiceImpl.requestAuthorization(AuthorizeRestWebServiceImpl.java:462) ~[classes/:?]
	at io.jans.as.server.authorize.ws.rs.AuthorizeRestWebServiceImpl.requestAuthorizationGet(AuthorizeRestWebServiceImpl.java:187) ~[classes/:?]
	at io.jans.as.server.authorize.ws.rs.AuthorizeRestWebServiceImpl$Proxy$_$$_WeldClientProxy.requestAuthorizationGet(Unknown Source) ~[classes/:?]

jans-auth.log for the reference :
jans-auth.log

Debugging Hints

There has to be something wrong here during computing jwe (jweDecrypter.decrypt(encodedJwt)) in these lines https://github.com/JanssenProject/jans-auth-server/blob/master/server/src/main/java/io/jans/as/server/model/authorize/JwtAuthorizationRequest.java#L141-L160

nbf and other fields are NULL in loadPayload method of JwtAuthorizationRequest. (please see the debugging screenshot debug point was on line https://github.com/JanssenProject/jans-auth-server/blob/master/server/src/main/java/io/jans/as/server/model/authorize/JwtAuthorizationRequest.java#L307),

Screenshot from 2021-11-30 15-45-17

whereas nbf is not null in request jwt (please see screenshot of request from jwt.io)

Screenshot from 2021-11-30 15-53-18

https://github.com/JanssenProject/jans-auth-server/blob/master/server/src/main/java/io/jans/as/server/model/authorize/JwtAuthorizationRequest.java#L215-L307

@ghost ghost assigned HemantKMehta Jan 5, 2022
@ossdhaval ossdhaval transferred this issue from another repository Jan 13, 2022
@ossdhaval ossdhaval added comp-jans-auth-server Component affected by issue or PR effort-2 Relative effort required for completion of issue or PR kind-enhancement Issue or PR is an enhancement to an existing functionality priority-4 Minor issue or PR is not relevant to core functions, or relates to the usability of system triaged Issue or PR is fully triaged labels Jan 13, 2022
moabu pushed a commit that referenced this issue Jan 13, 2022
Signed-off-by: mo-auto <54212639+mo-auto@users.noreply.github.com>
moabu pushed a commit that referenced this issue Jan 13, 2022
Signed-off-by: mo-auto <54212639+mo-auto@users.noreply.github.com>
HemantKMehta added a commit that referenced this issue Feb 7, 2022
Fix to ensure none signature algorithm JARM issue #310
yuriyz pushed a commit that referenced this issue Feb 7, 2022
* fix: none signature algorithm jarm issue 310

Fix to ensure none signature algorithm JARM issue #310

* fix: none signature algorithm jarm issue no 310

fix to ensure rejecting none signature algorithm JARM issue no 310

* fix: none signature algorithm JARM issue no 310

fix to ensure rejection of none signature algorithm for JARM issue no 310
@HemantKMehta
Copy link
Contributor Author

It is resolved by this PR #786.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
comp-jans-auth-server Component affected by issue or PR effort-2 Relative effort required for completion of issue or PR kind-enhancement Issue or PR is an enhancement to an existing functionality priority-4 Minor issue or PR is not relevant to core functions, or relates to the usability of system triaged Issue or PR is fully triaged
Projects
None yet
Development

No branches or pull requests

3 participants