UMA JWT Signature Invalid in Custom SCIM-Client request to get initial AAT

By: Theodore Sands user 30 Oct 2016 at 11:39 p.m. CDT

7 Responses
Theodore Sands gravatar
Another user asked a similar question ([Kevin Madhu in ticket #3389](https://support.gluu.org/access-management/3389/difficulty-getting-access-token/)). I am creating a custom client to evaluate Gluu for what we need. In making the custom client, I dispense with Java since we are working with .NET. It's been mentioned several times that others in this support area have created custom clients yet those issues don't seem to be coming up with searches. Similar to #3389, I had to extract the private key from the JKS file in order to consume it in my client. Then, I had to create the classes that represent the JWT that will be constructed, signed, and sent to the UMA Token Endpoint in order to retrieve an AAT. I was able to correctly create the JWT and encode it. I signed it and then tried to get an AAT from the UMA Token Endpoint. The exception from the oxauth.log was: ``` Caused by: org.xdi.oxauth.model.exception.InvalidJwtException: Invalid cryptographic segment at org.xdi.oxauth.model.token.ClientAssertion.load(ClientAssertion.java:121) at org.xdi.oxauth.model.token.ClientAssertion.<init>(ClientAssertion.java:43) ... 31 more ``` I noted that the extracted private key has a ECDSA signatue algorithm which seems to be different than the RS256 the SCIM-Client appears to expect. Can you give me any further direction or at least ask a question to guide my inquiries further?
U1404
closed

Answers

By Michael Schwartz Account Admin 31 Oct 2016 at 12:37 a.m. CDT

Copy
Michael Schwartz gravatar
This is a tough question. I remember that there were differences with .Net crypto libraries perhaps because of differences with newlines. I'll ask our C# developer to look at it. But to be honest, I'd really recommend using our oxd C# client library. Using this strategy, youw would run the oxd mediator (which is java). Then the C# program calls the API's of oxd. I think this is preferable because you don't have to drive yourself crazy with crypto stuff. oxd is licensed... it will be approximately $100 per server per year. It also has API's for UMA and GAT tokens. We can send you a demo license if you want to give it a try.

By Theodore Sands user 31 Oct 2016 at 7:06 a.m. CDT

Copy
Theodore Sands gravatar
Sure I'll try it. How do I get at it?

By Michael Schwartz Account Admin 01 Nov 2016 at 6:45 p.m. CDT

Copy
Michael Schwartz gravatar
Nuget package too: [https://www.nuget.org/packages/Gluu.Oxd.OxdCSharp/1.0.2](https://www.nuget.org/packages/Gluu.Oxd.OxdCSharp/1.0.2?)

By Theodore Sands user 01 Nov 2016 at 11:59 p.m. CDT

Copy
Theodore Sands gravatar
Got it. I am looking through the available classes to see how I would send a request to my Gluu server to get the initial AAT in the UMA flow. Can you give me a hint? Or, am I missing something and I need to start a separate service that runs on some port as a mediator? On another note, how can I increase what gets logged into oxauth.log? I would like, if possible, to see the JWT whose signature is being validated.

By Theodore Sands user 06 Nov 2016 at 10:30 p.m. CST

Copy
Theodore Sands gravatar
I have another detail. But, it deserves another ticket: getting "invalid cryptographic segment" in the oxauth.log when I use the SCIM-Client from GluuFederation.

By Aliaksandr Samuseu staff 12 Nov 2016 at 1:16 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Theodore. Do you still need this one to stay open?

By Theodore Sands user 13 Nov 2016 at 11:29 p.m. CST

Copy
Theodore Sands gravatar
This one can be closed. I am not using the C# client library right now. I am upgrading to 2.4.4, starting with the SCIM in test mode using the long-lived OAuth2 token. When we get the signing of the JWT for the initial AAT figured out, we'll move to the UMA endpoints using C#. I'll eventually pass along my solution for those that might want to do this in my wake.

Post an answer