[OPENIG-379] Improve logging when JWT sessions are using random keys Created: 15/Nov/14 Updated: 05/Jan/16 Resolved: 20/Nov/14 Status: Project: Component/s: Affects Version/s: Fix Version/s: Closed OpenIG Core 3.1.0 Type: Reporter: Resolution: Labels: Remaining Estimate: Time Spent: Original Estimate: Bug Matthew Swift Fixed None Not Specified Sprint: 3.1 - QA sprint / bug fixing 3.1.0 Priority: Assignee: Votes: Major Matthew Swift 0 Not Specified Not Specified Description Steps to reproduce: 1. 2. 3. 4. 5. start OpenIG with JWT session support enabled perform some action (e.g. OAuth2 client auth) which causes the session to be populated access OpenIG several times: verify that session is re-usable restart OpenIG access OpenIG again: JWT session decryption fails: 6. 2014-11-15 22:03:28.446:INFO:oejs.ServerConnector:main: Started ServerConnector@1d1a373{HTTP/1.1}{0.0.0.0:8081} 7. 2014-11-15 22:03:28.446:INFO:oejs.Server:main: Started @5391ms 8. [INFO] Started Jetty Server 9. [INFO] Starting scanner at interval of 10 seconds. 10. 2014-11-15T21:03:59Z:_Router.log:INFO:Added route '02-protected.json' defined in f '/home/matt/.openig/config/routes/02-protected.json' 11. 2014-11-15T21:03:59Z:_Router.log:INFO:Added route '01-unprotected.json' defined in '/home/matt/.openig/config/routes/01-unprotected.json' 12. 2014-11-15T21:03:59Z:JwtSession.log:WARNING:Cannot rebuild JWT Session from Cookie session' 13. 2014-1115T21:03:59Z:JwtSession.throwable:WARNING:org.forgerock.json.jose.exceptions.JweDecr javax.crypto.BadPaddingException: Decryption error:org.forgerock.json.jose.exceptions.JweDecryptionException: javax.crypto.BadPad Decryption error 14. 2014-11-15T21:03:59Z:JwtSession.log:WARNING:Cannot rebuild JWT Session from Cookie session' 15. 2014-1115T21:03:59Z:JwtSession.throwable:WARNING:org.forgerock.json.jose.exceptions.JweDecr javax.crypto.BadPaddingException: Decryption error:org.forgerock.json.jose.exceptions.JweDecryptionException: javax.crypto.BadPad Decryption error The problem is reproducible regardless of JDK version. Importantly, I suspect this means that JWT sessions are not portable between OpenIG instances. In other words, in load balanced environment which is their primary use-case, hence I'm marking this as critical. Comments Comment by Matthew Swift [ 15/Nov/14 ] I suspect the cause is that JWT sessions are encrypted using a key which is somehow locked to the JVM instance Comment by Matthew Swift [ 15/Nov/14 ] In fact, I only need to reconfigure (restart) a route for the problem to occur: 2014-11-15T21:27:55Z:_Router.log:INFO:Modified route '02-protected.json' defined in file '/home/matt/.openig/config/routes/02-protected.json' 2014-11-15T21:27:55Z:JwtSession.log:WARNING:Cannot rebuild JWT Session from Cookie 'openig session' 2014-1115T21:27:55Z:JwtSession.throwable:WARNING:org.forgerock.json.jose.exceptions.JweDecryption javax.crypto.BadPaddingException: Decryption error:org.forgerock.json.jose.exceptions.JweDecryptionException: javax.crypto.BadPaddingEx Decryption error 2014-11-15T21:27:56Z:JwtSession.log:WARNING:Cannot rebuild JWT Session from Cookie 'openig session' 2014-1115T21:27:56Z:JwtSession.throwable:WARNING:org.forgerock.json.jose.exceptions.JweDecryption javax.crypto.BadPaddingException: Decryption error:org.forgerock.json.jose.exceptions.JweDecryptionException: javax.crypto.BadPaddingEx Decryption error Comment by Mark [ 16/Nov/14 ] Does the section on Setting up keys for JWT encryption look incorrect? I'm wondering if its a doc problem rather than an implementation problem. Comment by Matthew Swift [ 17/Nov/14 ] I think the doc is fine, although it does require the hapless end-user to read it I guessed that the problem was related to the random private key generation. However, I think the warning log m quite unhelpful to an end-user who may think that OpenIG is malfunctioning in some way. I'll downgrade this issue as OpenIG is behaving as expected. I do think there are some usability improvements to addressed though: issue a warning message when the JWT session filter is enabled without a private key. The warning shou user that a random key is generated and that JWT sessions will not be usable across restarts, config chang between multiple OpenIG instances when a JWT session cannot be decrypted, possibly due to an invalid key, we should should only log a sin (not 2) and the message should be more meaningful, rather than some random babble about padding It if we checked to see if how the JWT session module is configured and adjust the message accordingly. Comment by Matthew Swift [ 20/Nov/14 ] Also ensure that invalid JWT sessions are deleted by setting the Max-Age to -1. Comment by Peter Major [ 20/Nov/14 ] setMaxAge(0) deletes cookie, -1 makes the cookie browser-session only: https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setMaxAge(int) Comment by Jean-Charles Deville [ 05/Jan/16 ] Clean-up issues fixed before 4.0.0 Generated at Tue Feb 09 21:29:41 GMT 2016 using JIRA 6.3.9#6339sha1:46fa26140bf81c66e10e6f784903d4bfb1a521ae.