An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found

Asked 17/6, 2019 at 20:21 Answered 22/11, 2023 at 0:52

Solved spring-security openam spring-oauth2 forgerock

I am trying setup OAuth2-OpenID Connect with ForgeRock OpenAM integrated with spring security and am getting the following error

2019-06-17 15:01:42.576 DEBUG 62255 --- [nio-8090-exec-2] .o.s.r.w.BearerTokenAuthenticationFilter : 
Authentication request for failed: org.springframework.security.oauth2.core.OAuth2AuthenticationException: 
An error occurred while attempting to decode the Jwt: 
Signed JWT rejected: Another algorithm expected, or no matching key(s) found

The Jwk .well-known uri returns the following supported algorithms:

"id_token_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ]

The decoded JWT shows the following header:

{
  "typ": "JWT",
  "zip": "NONE",
  "alg": "HS256"
}

Is there a way I can set a specific JwtDecoder based on the value coming from the header or enforce AM to use one particular algorithm?

Underage answered 17/6, 2019 at 20:21 Comment(0)

The issue was with the configuration in the Access Management on the token encryption. It was blank but for some reason the JWT header showed HS256, that caused spring to look for the HS256 private key and fail. After I changed the setting to use RS256, everything started working.

Underage answered 23/6, 2019 at 1:39 Comment(1)

+1 For KeyCloak 10.0.1, had to do similar setting "Default Signature Algorithm" under Realm /Tokens to RS256 (or whatever you prefer) – Dean 4/6, 2020 at 16:25

In my case, by default NimbusJwtDecoder taking RS256 as JwsAlgo. So I configured JWTDecoder and provided RS512 algorithm which I found in my JWT header.

{ "alg": "RS512", "typ": "JWT" }

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri}")
    private String jwkSetUri;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated().and().oauth2ResourceServer().jwt().decoder(jwtDecoder());
    }

    @Bean
    public JwtDecoder jwtDecoder() {
        return NimbusJwtDecoder.withJwkSetUri(jwkSetUri).jwsAlgorithm(SignatureAlgorithm.RS512).build();
    }
}

Rhinoscopy answered 3/2, 2022 at 9:21 Comment(0)

Yes you can tell AM to use a specific signature algorithm for OIDC id token signature (https://backstage.forgerock.com/docs/am/6.5/oidc1-guide/#configure-oauth2-oidc-client-signing), but I suspect the client is not able to verify the signature because of the missing key.

Just to make sure ... you are aware that OAuth2 and OIDC are different topics..

Curlew answered 18/6, 2019 at 15:28 Comment(1)

Thanks Bernhard, but key is present. OIDC is an extension to OAuth2 so i would not say that they are different topic completely. – Underage 23/6, 2019 at 1:33

Another way to get such errors is if there is JWT URI inconsistency along the authentication path.

For example, the JWT Issuer URI may have been hardcoded with specific region or User Pool on the server side, such as "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi".

Be careful when using hardcoded values.

Menfolk answered 22/11, 2023 at 0:52 Comment(0)

Recommended topics

Hot tags