By: Kevin Madhu user 23 Oct 2016 at 2:03 a.m. CDT

3 Responses
Kevin Madhu gravatar
I've roughly gone through the SCIM-Client source and found out the structure of sending request to gluu server for acquiring AAT token. And everything works, when I use the tokenRequest.getClientAssertion() as client_assertion. But When I tried to create the client assertion string by myself, client authentication fails. I'm presenting the JWT i got from the SCIM-Client and the one I myself made up using tools below: ``` JWT used as client_assertion in SCIM-Client eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzM4NCIsImtpZCI6IjA0ZTZlYjMxLTgzYjUtNDdjMy1iYzQ0LTc0YjY2NzlmNDdiMSJ9.eyJpc3MiOiJAITJFNUEuN0FERi5GQkVGLkYyMjIhMDAwMSEzOUFFLkJBRDIhMDAwOCEzQTA1LjUzOEIiLCJzdWIiOiJAITJFNUEuN0FERi5GQkVGLkYyMjIhMDAwMSEzOUFFLkJBRDIhMDAwOCEzQTA1LjUzOEIiLCJhdWQiOiJodHRwczovL2NhbXBleC5jb20vb3hhdXRoL3NlYW0vcmVzb3VyY2UvcmVzdHYxL294YXV0aC90b2tlbiIsImp0aSI6Ijk2MDI0MjAyLTY2MTctNGZjNi04NmI4LTY5MjllNzJiZWU1ZCIsImV4cCI6MTQ3NzE5ODkzOCwiaWF0IjoxNDc3MTk4NjM4fQ.MGUCMQDuJXf241q5BJnEuYiHMClSGMo-xMhWrRf1m4mZksnaGVbzKB5EMDBjbHIG3q1wtM0CMF_lGSZYToJUTcwx2rXuK6CIfNw9Iw5cmOW1BKEmSbHAL2YOXvPYzcA7m52_mbe4EA Header { "typ": "JWT", "alg": "ES384", "kid": "04e6eb31-83b5-47c3-bc44-74b6679f47b1" } Payload { "iss": "@!2E5A.7ADF.FBEF.F222!0001!39AE.BAD2!0008!3A05.538B", "sub": "@!2E5A.7ADF.FBEF.F222!0001!39AE.BAD2!0008!3A05.538B", "aud": "https://campex.com/oxauth/seam/resource/restv1/oxauth/token", "jti": "96024202-6617-4fc6-86b8-6929e72bee5d", "exp": 1477198938, "iat": 1477198638 } ``` ``` JWT created using tools eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsImtpZCI6IjA0ZTZlYjMxLTgzYjUtNDdjMy1iYzQ0LTc0YjY2NzlmNDdiMSJ9.eyJpc3MiOiJAITJFNUEuN0FERi5GQkVGLkYyMjIhMDAwMSEzOUFFLkJBRDIhMDAwOCEzQTA1LjUzOEIiLCJzdWIiOiJAITJFNUEuN0FERi5GQkVGLkYyMjIhMDAwMSEzOUFFLkJBRDIhMDAwOCEzQTA1LjUzOEIiLCJhdWQiOiJodHRwczovL2NhbXBleC5jb20vb3hhdXRoL3NlYW0vcmVzb3VyY2UvcmVzdHYxL294YXV0aC90b2tlbiIsImp0aSI6Ijk2MDI0MjAyLTY2MTctNGZjNi04NmI4LTY5MjllNzJiZWU1ZCIsImV4cCI6MTQ3NzIwMTUwMSwiaWF0IjoxNDc3MjAxMjAxfQ.nIC6yOT2AbZHi0_rWzb6VZt446lHTiKuief_ABle8DLKptB1NgWH4rgyIy-pwkRCy-MNtDKBIh9Y4uyHApqg_QJKWiHkfD_vZir2WrzILa4xg6diMCRZCwkURz_KMno9 Header { "alg": "ES384", "typ": "JWT", "kid": "04e6eb31-83b5-47c3-bc44-74b6679f47b1" } Payload { "iss": "@!2E5A.7ADF.FBEF.F222!0001!39AE.BAD2!0008!3A05.538B", "sub": "@!2E5A.7ADF.FBEF.F222!0001!39AE.BAD2!0008!3A05.538B", "aud": "https://campex.com/oxauth/seam/resource/restv1/oxauth/token", "jti": "96024202-6617-4fc6-86b8-6929e72bee5d", "exp": 1477201501, "iat": 1477201201 } ``` Contents of both are identical, I can't understand how one works while the other one does not. I'm also listing out steps I used to extract the key from scim-rp.jks below: > > 1) keytool -importkeystore -srckeystore scim-rp.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias "04e6eb31-83b5-47c3-bc44-74b6679f47b1" => destination password "secret". > > 2) openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem Below is the code used for creating the JWT(Nodejs) : ``` var Keytool = require('node-keytool'); var jwt = require('jsonwebtoken'); var fs = require('fs'); var cert = fs.readFileSync('key.pem'); // get private key var token = jwt.sign({ iss: '@!2E5A.7ADF.FBEF.F222!0001!39AE.BAD2!0008!3A05.538B', sub: '@!2E5A.7ADF.FBEF.F222!0001!39AE.BAD2!0008!3A05.538B', aud: 'https://campex.com/oxauth/seam/resource/restv1/oxauth/token', jti: "96024202-6617-4fc6-86b8-6929e72bee5d", exp: Math.floor(Date.now() / 1000) + 300, iat: Math.floor(Date.now() / 1000) + 000 }, cert, { header: { typ: "JWT", alg: "ES384", kid: "04e6eb31-83b5-47c3-bc44-74b6679f47b1" } }); console.log(token); ```

By Valentino Pecaoco user 23 Oct 2016 at 4:09 a.m. CDT

Valentino Pecaoco gravatar
Hi Kevin, > But When I tried to create the client assertion string by myself Why do you need to do this? If you are trying to create a custom SCIM client, please see our UMA docs. Thanks, Val

By Kevin Madhu user 23 Oct 2016 at 4:49 a.m. CDT

Kevin Madhu gravatar
I've seen the docs, there are 3 ways I guess. One is using scim-client library which I can't because my project is not in java. Second is using oxd-server which I tried and failed. I see the only remaining method is this one.

By Valentino Pecaoco user 23 Oct 2016 at 6:03 a.m. CDT

Valentino Pecaoco gravatar
It has already been done a couple of times, maybe you can try searching tickets here. But if I'm not mistaken I don't remember it involved manually generating a "self" JWT, though. I'll be closing down this ticket so please open a new one with the correct UMA issue context.