[OPENIG-379] Improve logging when JWT sessions are using random keys
Created: 15/Nov/14 Updated: 05/Jan/16 Resolved: 20/Nov/14
Status:
Project:
Component/s:
Affects
Version/s:
Fix Version/s:
Closed
OpenIG
Core
3.1.0
Type:
Reporter:
Resolution:
Labels:
Remaining
Estimate:
Time Spent:
Original
Estimate:
Bug
Matthew Swift
Fixed
None
Not Specified
Sprint:
3.1 - QA sprint / bug fixing
3.1.0
Priority:
Assignee:
Votes:
Major
Matthew Swift
0
Not Specified
Not Specified
Description
Steps to reproduce:
1.
2.
3.
4.
5.
start OpenIG with JWT session support enabled
perform some action (e.g. OAuth2 client auth) which causes the session to be populated
access OpenIG several times: verify that session is re-usable
restart OpenIG
access OpenIG again: JWT session decryption fails:
6. 2014-11-15 22:03:28.446:INFO:oejs.ServerConnector:main: Started
ServerConnector@1d1a373{HTTP/1.1}{0.0.0.0:8081}
7. 2014-11-15 22:03:28.446:INFO:oejs.Server:main: Started @5391ms
8. [INFO] Started Jetty Server
9. [INFO] Starting scanner at interval of 10 seconds.
10. 2014-11-15T21:03:59Z:_Router.log:INFO:Added route '02-protected.json' defined in f
'/home/matt/.openig/config/routes/02-protected.json'
11. 2014-11-15T21:03:59Z:_Router.log:INFO:Added route '01-unprotected.json' defined in
'/home/matt/.openig/config/routes/01-unprotected.json'
12. 2014-11-15T21:03:59Z:JwtSession.log:WARNING:Cannot rebuild JWT Session from Cookie
session'
13. 2014-1115T21:03:59Z:JwtSession.throwable:WARNING:org.forgerock.json.jose.exceptions.JweDecr
javax.crypto.BadPaddingException: Decryption
error:org.forgerock.json.jose.exceptions.JweDecryptionException: javax.crypto.BadPad
Decryption error
14. 2014-11-15T21:03:59Z:JwtSession.log:WARNING:Cannot rebuild JWT Session from Cookie
session'
15. 2014-1115T21:03:59Z:JwtSession.throwable:WARNING:org.forgerock.json.jose.exceptions.JweDecr
javax.crypto.BadPaddingException: Decryption
error:org.forgerock.json.jose.exceptions.JweDecryptionException: javax.crypto.BadPad
Decryption error
The problem is reproducible regardless of JDK version.
Importantly, I suspect this means that JWT sessions are not portable between OpenIG instances. In other words,
in load balanced environment which is their primary use-case, hence I'm marking this as critical.
Comments
Comment by Matthew Swift [ 15/Nov/14 ]
I suspect the cause is that JWT sessions are encrypted using a key which is somehow locked to the JVM instance
Comment by Matthew Swift [ 15/Nov/14 ]
In fact, I only need to reconfigure (restart) a route for the problem to occur:
2014-11-15T21:27:55Z:_Router.log:INFO:Modified route '02-protected.json' defined in file
'/home/matt/.openig/config/routes/02-protected.json'
2014-11-15T21:27:55Z:JwtSession.log:WARNING:Cannot rebuild JWT Session from Cookie 'openig
session'
2014-1115T21:27:55Z:JwtSession.throwable:WARNING:org.forgerock.json.jose.exceptions.JweDecryption
javax.crypto.BadPaddingException: Decryption
error:org.forgerock.json.jose.exceptions.JweDecryptionException: javax.crypto.BadPaddingEx
Decryption error
2014-11-15T21:27:56Z:JwtSession.log:WARNING:Cannot rebuild JWT Session from Cookie 'openig
session'
2014-1115T21:27:56Z:JwtSession.throwable:WARNING:org.forgerock.json.jose.exceptions.JweDecryption
javax.crypto.BadPaddingException: Decryption
error:org.forgerock.json.jose.exceptions.JweDecryptionException: javax.crypto.BadPaddingEx
Decryption error
Comment by Mark [ 16/Nov/14 ]
Does the section on Setting up keys for JWT encryption look incorrect?
I'm wondering if its a doc problem rather than an implementation problem.
Comment by Matthew Swift [ 17/Nov/14 ]
I think the doc is fine, although it does require the hapless end-user to read it
I guessed that the problem was related to the random private key generation. However, I think the warning log m
quite unhelpful to an end-user who may think that OpenIG is malfunctioning in some way.
I'll downgrade this issue as OpenIG is behaving as expected. I do think there are some usability improvements to
addressed though:


issue a warning message when the JWT session filter is enabled without a private key. The warning shou
user that a random key is generated and that JWT sessions will not be usable across restarts, config chang
between multiple OpenIG instances
when a JWT session cannot be decrypted, possibly due to an invalid key, we should should only log a sin
(not 2) and the message should be more meaningful, rather than some random babble about padding It
if we checked to see if how the JWT session module is configured and adjust the message accordingly.
Comment by Matthew Swift [ 20/Nov/14 ]
Also ensure that invalid JWT sessions are deleted by setting the Max-Age to -1.
Comment by Peter Major [ 20/Nov/14 ]
setMaxAge(0) deletes cookie, -1 makes the cookie browser-session only:
https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setMaxAge(int)
Comment by Jean-Charles Deville [ 05/Jan/16 ]
Clean-up issues fixed before 4.0.0
Generated at Tue Feb 09 21:29:41 GMT 2016 using JIRA 6.3.9#6339sha1:46fa26140bf81c66e10e6f784903d4bfb1a521ae.