Ask Question
« General Questions on Nuxeo

Requesting-an-access-token-with-a-jwt - SOLVED

Hi people,

According Oauth2 FLOW https://doc.nuxeo.com/nxdoc/using-oauth2/#requesting-an-access-token-with-a-jwt, I tried to get access token by testing Access Token with a JWT with my Postman but I have some exceptions server side. Here How I declared Oauth2 client serveur side : Capture d’écran 2019-04-05 à 12.25.59.png

Here is My Postman Capture d’écran 2019-04-05 à 12.19.56.png

Here is the server logs

2019-04-05T12:14:44,334 ERROR [https-jsse-nio-0.0.0.0-8443-exec-3] [nuxeo-error-log] javax.servlet.ServletException: java.lang.NullPointerException
    at org.nuxeo.ecm.platform.web.common.requestcontroller.filter.NuxeoRequestControllerFilter.doFilter(NuxeoRequestControllerFilter.java:145)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:209)
    at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:244)
    Caused by: java.lang.NullPointerException
    at org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet.doPostToken(NuxeoOAuth2Servlet.java:358)
    at org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet.doPost(NuxeoOAuth2Servlet.java:121)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)

Thanks for help

FILES:   Capture d’écran 2019-04-05 à 12.25.59.png   Capture d’écran 2019-04-05 à 12.19.56.png   Capture d’écran 2019-04-05 à 12.19.56.png   Capture d’écran 2019-04-05 à 12.25.59.png
freemann
Member (2.1K)   2   5   7 		04/05/2019 ( History)
0 votes
6 answers
4450 views
ANSWER
ANSWERS

Kevin Leturc ,

In https://github.com/nuxeo/nuxeo/blob/10.10/nuxeo-features/nuxeo-platform-oauth/src/main/java/org/nuxeo/ecm/platform/oauth2/Constants.java I see :

/** @since 11.1 */
public static final String ASSERTION_PARAM = "assertion";

/** @since 11.1 */
public static final String JWT_BEARER_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";

It's a confirmation that the jwt grant_type does not exist in 10.10 or HF02 ?

freemann
Member (2.1K)   2   5   7 		04/05/2019 ( History)
0 votes
Kevin Leturc
Please use comment feature instead of answer one, it's easier to follow. No this is not a confirmation, feature is present in 10.10-HF02
04/05/2019
freemann
As you can see on my answer to Thomas Roger , I am running nuxeo 10.10-HF03
04/05/2019
Kevin Leturc

Please read my previous comment below:

So your token seems to be invalid. Can you enable TRACE log on JWTServiceImpl in order to have the reason of verification failure?

Log4j2 config:

...
<Logger name="org.nuxeo.ecm.jwt.JWTServiceImpl" level="trace" />
...
04/05/2019
freemann

Here is TRACE of JWTServiceImpl :

2019-04-05T15:03:57,720 TRACE [https-jsse-nio-0.0.0.0-8443-exec-2] [org.nuxeo.ecm.jwt.JWTServiceImpl] token verification failed: com.auth0.jwt.exceptions.AlgorithmMismatchException: The provided Algorithm doesn't match the one defined in the JWT's Header.
04/05/2019
Kevin Leturc
Do you generate the token with Nuxeo? Cause Nuxeo uses only HMAC512 algorithm to generate jwt tokens and regarding the error you get it's not the algorithm used in your jwt token.

Note: the JWT issuer might be nuxeo

https://jwt.io/ might help

04/05/2019
freemann
My jwt use HS256 Algorithm and shared secret base64 encoded, see in https://jwt.io/, I generate the JWT in my main API REST and want to use the same with nuxeo.
04/05/2019
Kevin Leturc
There's no customisation on this part inside Nuxeo. We use HmacSHA512 algorithm (HS512) to generate and verify tokens, you need to generate a JWT token with this algorithm and the nuxeo issuer in the claim (iss).
04/05/2019
freemann
It would be interesting to add a new parameter in nuxeo.conf like nuxeo.jwt.alg = HS256 | HS384 | HS512
04/05/2019
Florent Guillaume
We see no reason to allow weaker algorithms.
04/05/2019
freemann
I think it's the responsibility to users to use weaker or strong algorithms. I this case, We must update all our APIS to fit in nuxeo strategy. Users can have choice to update later their app
04/05/2019
freemann
Hi Kevin Leturc , Florent Guillaume ,

I use in my main API HS512 as JWT algorithm provider, but when I use it postman to test oauth2 jwt authentication, I have this exception nuxeo side : `2019-04-15T13:50:01,575 TRACE [https-jsse-nio-0.0.0.0-8443-exec-9] [org.nuxeo.ecm.jwt.JWTServiceImpl] token verification failed: com.auth0.jwt.exceptions.SignatureVerificationException: The Token's Signature resulted invalid when verified using the Algorithm: HmacSHA512 … Caused by: java.lang.NullPointerException

at org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet.doPostToken(NuxeoOAuth2Servlet.java:358)
at org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet.doPost(NuxeoOAuth2Servlet.java:121)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)`.

Nuxeo not read my nuxeo.jwt.secret parameter ? For information, I use library io.jsonwebtoken:jjwt to create my JWT

Thanks for help

04/15/2019
freemann
Hi,

I changed my JWT lib for com.auth0.jwt use by nuxeo and I get this error : 2019-04-15T15:58:29,821 TRACE [https-jsse-nio-0.0.0.0-8443-exec-1] [org.nuxeo.ecm.jwt.JWTServiceImpl] token verification failed: com.auth0.jwt.exceptions.InvalidClaimException: The Claim 'iss' value doesn't match the required one..

Why Issuer is required nuxeo side ?

Thanks

04/15/2019
Florent Guillaume
Yes we could remove the check, it doesn't bring much. I created NXP-27236 for that, but it's not yet scheduled. In the meantime, please use the required nuxeo one.
04/15/2019
freemann
Hi Florent Guillaume ,
Have you an information about the solution the nuxeo issuer problem in JWT ? => https://jira.nuxeo.com/browse/NXP-27236
We passed a year and I see nothing on jira ticket.
Thanks
06/11/2020
Florent Guillaume
This has now been fixed in the master branch.
06/15/2020

Hi Kevin Leturc , I have this parameter in my nuxeo.conf nuxeo.jwt.secret=OTQ5YTI3MmI0ZDBmNGV....., So I don't understand why nuxeo not read it ?

Thanks

freemann
Member (2.1K)   2   5   7 		04/05/2019 ( History)
0 votes
Kevin Leturc

Ok, So your token seems to be invalid. Can you enable TRACE log on JWTServiceImpl in order to have the reason of verification failure?

Log4j2 config:

...
<Logger name="org.nuxeo.ecm.jwt.JWTServiceImpl" level="trace" />
...
04/05/2019

Hi Thomas Roger,

I am running HF03.

Capture d’écran 2019-04-05 à 14.27.25.png

Thanks

FILES:   Capture d’écran 2019-04-05 à 14.27.25.png
freemann
Member (2.1K)   2   5   7 		04/05/2019 ( History)
0 votes

Hello,

I saw on your screenhost that the exception came from [here](https://github.com/nuxeo/nuxeo/blob/10.10/nuxeo-features/nuxeo-platform-oauth/src/main/java/org/nuxeo/ecm/platform/oauth2/NuxeoOAuth2Servlet.java#L358 which means that either you don't have set the jwt secret (nuxeo.jwt.secret in nuxeo.conf) or your token is not valid.

I created NXP-27175 to improve error handling.

Kevin Leturc
Member (2.6K)   1   3   5 		04/05/2019 ( History)
0 votes

The JWT OAuth2 flow is only supported since 10.10-HF02, not before.

Thomas Roger
Member (4.3K)   1   5   5 		04/05/2019 ( History)
0 votes

Hi,

When in my postman I delete parameter grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer', I get server side this exception : 2019-04-05T14:11:35,871 WARN [https-jsse-nio-0.0.0.0-8443-exec-7] [org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet] OAuth2 token request error: OAuth2Error(id=unsupported_grant_type, description=Unknown grant_type: got "null", expecting "authorization_code" or "refresh_token".)

It seems that this type of grant_type urn:ietf:params:oauth:grant-type:jwt-bearer describe in this https://doc.nuxeo.com/nxdoc/using-oauth2/#requesting-an-access-token-with-a-jwt is not supported in nuxeo 10.10 or not implement yet ? I see in code package org.nuxeo.ecm.platform.oauth2 theses constants

public static final String TOKEN_SERVICE = "org.nuxeo.server.token.store";
036
037    public static final String RESPONSE_TYPE_PARAM = "response_type";
038
039    public static final String CODE_RESPONSE_TYPE = "code";
040
041    public static final String SCOPE_PARAM = "scope";
042
043    public static final String STATE_PARAM = "state";
044
045    public static final String CLIENT_ID_PARAM = "client_id";
046
047    public static final String CLIENT_SECRET_PARAM = "client_secret";
048
049    public static final String REDIRECT_URI_PARAM = "redirect_uri";
050
051    public static final String REDIRECT_URL_PARAM = "redirect_url";
052
053    public static final String AUTHORIZATION_CODE_PARAM = "code";
054
055    public static final String REFRESH_TOKEN_PARAM = "refresh_token";
056
057    public static final String GRANT_TYPE_PARAM = "grant_type";
058
059    public static final String AUTHORIZATION_CODE_GRANT_TYPE = "authorization_code";
060
061    public static final String REFRESH_TOKEN_GRANT_TYPE = "refresh_token";
062
063    /** --------------------------- PKCE --------------------------- */
064    public static final String CODE_CHALLENGE_PARAM = "code_challenge";
065
066    public static final String CODE_CHALLENGE_METHOD_PARAM = "code_challenge_method";
067
068    public static final String CODE_VERIFIER_PARAM = "code_verifier";
069
070    public static final String CODE_CHALLENGE_METHOD_PLAIN = "plain";
071
072    public static final String CODE_CHALLENGE_METHOD_S256 = "S256";
073
074    public static final List<String> CODE_CHALLENGE_METHODS_SUPPORTED = Arrays.asList(CODE_CHALLENGE_METHOD_PLAIN,
075            CODE_CHALLENGE_METHOD_S256);

No assertion Thanks

freemann
Member (2.1K)   2   5   7 		04/05/2019 ( History)
0 votes
Follow
Tags
Linked Questions
Related Questions
scripting automation problem : You must be administrator to use this operation
Permissions - Unable to add/remove ACL
Using OR in the query of a Page Provider
Is it possible to retrieve arrays in Repository.ResultSetPageProvider?
Error while updating the project from Nuxeo Studio
Retreive Audit Logs
NXQL 'Count' function returns java.lang.NullPointerException
I am getting unknown connection org.nuxeo.ecm.core.storage.sql.ra.ConnectionImpl@37a6bcc6 in org.nuxeo.ecm.core.storage.sql.ra.ManagedConnectionImpl@32b806ea after updating platform, any know why I am getting this error
NumberFormatException while creating a document with an image