OpenID Auth failing beause of Supplied key (null) is not a RSAPrivateKey instance

By: Roman Ott user 11 Jun 2019 at 2:15 a.m. CDT

3 Responses
Roman Ott gravatar
I tried to restore a gluu backup on our staging environment in aws. 1. Install Gluu via apt-get 2. Installation with own backuped setup.properties 3. Restore LDAP via import from backup Now i can login via OXTrust Admin Gui and Browse Ldap Scheme via Jxplorer All client configuration is visible and users are present. But OpenID Authentification via Client is not working. Because id_token is missing in respone, i get only access_token, refresh token OST[TOKEN_ENDPPOINT] grant_type=authorization_code &client_id=[CLIENT_ID] &client_secret=[CLIENT_SECRET] &redirect_url=https://openidconnect.net/callback &code=bcf8972f-19b5-4f65-8c39-c91370ca6676 HTTP/1.1 200 Content-Type: application/json { "access_token": "f1c46e7b-f404-4ce8-8ea9-6fd9ffafeda6", "token_type": "bearer", "expires_in": 299, "refresh_token": "f73f9707-2402-4c0e-a0fd-b5d52ff2bf32" } 2019-06-10 21:19:10,115 INFO [qtp804611486-9] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:262) - Authentication success for Client: '@!50D2.35DC.8E35.73EE!0001!3176.2217!0008!053D.2761.DEAA.37F6' 2019-06-10 21:19:10,122 ERROR [qtp804611486-9] [org.xdi.oxauth.model.common.AuthorizationGrant] (AuthorizationGrant.java:231) - Supplied key (null) is not a RSAPrivateKey instance java.security.InvalidKeyException: Supplied key (null) is not a RSAPrivateKey instance at org.bouncycastle.jcajce.provider.asymmetric.rsa.DigestSignatureSpi.engineInitSign(Unknown Source) ~[bcprov-jdk15on-1.54.jar:1.54.0] at java.security.Signature$Delegate.engineInitSign(Signature.java:1177) ~[?:1.8.0_181] at java.security.Signature.initSign(Signature.java:530) ~[?:1.8.0_181] at org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.sign(OxAuthCryptoProvider.java:168) ~[oxauth-model-3.1.5.Final.jar:?] at org.xdi.oxauth.model.token.JwtSigner.sign(JwtSigner.java:85) ~[classes/:?] at org.xdi.oxauth.model.token.IdTokenFactory.generateSignedIdToken(IdTokenFactory.java:294) ~[classes/:?] at org.xdi.oxauth.model.token.IdTokenFactory.createJwr(IdTokenFactory.java:530) ~[classes/:?] at org.xdi.oxauth.model.common.AuthorizationGrant.createIdToken(AuthorizationGrant.java:89) ~[classes/:?] at org.xdi.oxauth.model.common.AuthorizationGrant.createIdToken(AuthorizationGrant.java:215) [classes/:?] at org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl.requestAccessToken(TokenRestWebServiceImpl.java:202) [classes/:?] at org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl$Proxy$_$$_WeldClientProxy.requestAccessToken(Unknown Source) [classes/:?] at sun.reflect.GeneratedMethodAccessor300.invoke(Unknown Source) ~[?:?] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_181] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_181] at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [resteasy-jaxrs-3.0.21.Final.jar:3.0.21.Final] at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [servlet-api-3.1.jar:3.1.0] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865) [jetty-servlet-9.4.12.v20180830.jar:9.4.12.v20180830] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655) [jetty-servlet-9.4.12.v20180830.jar:9.4.12.v20180830] at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:215) [websocket-server-9.4.12.v20180830.jar:9.4.12.v20180830] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) [jetty-servlet-9.4.12.v20180830.jar:9.4.12.v20180830] at org.xdi.oxauth.auth.AuthenticationFilter.processPostAuth(AuthenticationFilter.java:342) [classes/:?] at org.xdi.oxauth.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:115) [classes/:?] I think there is a problem with certificates, but i dont know which certificate to update. Is it the idp certificate? Best Regards Roman
Ubuntu 16.0
closed

Answers

By Roman Ott user 11 Jun 2019 at 9:54 a.m. CDT

Copy
Roman Ott gravatar
Okay question solved. Generated complete new credentials for oxauth-keys.jks and oxauth-keys.json via oxauth-client.jar Update via JxExplorer in LDAP Scheme jwks Restart Gluu

By Surit Aryal user 18 Dec 2019 at 11:29 p.m. CST

Copy
Surit Aryal gravatar
Hi Roman, Do you have any documents that you can provide on how you solved it. I am quite new to this and I am having the same issue as you are. Thanks.

By Roman Ott user 28 May 2020 at 1:22 a.m. CDT

Copy
Roman Ott gravatar
Sorry i dont get ur question. U find described information here https://gluu.org/docs/gluu-server/4.0/operation/replace-expired-jks-scim/ 1. Log in to the >> sudo su service gluu-server-3.1.5 login 2. Backup Certs >> mkdir /home/backup/certs >> cp /etc/certs/*.* /home/backup/certs/ 3. Get Password Grab the password/keypass/keypasswd of your oxauth jsk with: >> cat /install/community-edition-setup/setup.properties.last | grep -i oxauth_openid_jks_pass 4. Replace above oxauth_openid_jks_pass in below command and run command. >> /opt/jre/bin/java -Dlog4j.defaultInitOverride=true -cp "/home/jetty/lib/*" org.gluu.oxauth.util.KeyGenerator -keystore oxauth-keys.jks -keypasswd <oxauth_openid_jks_pass> -sig_keys RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512 RSA1_5 -enc_keys RSA1_5 RSA-OAEP -dnname "CN=oxAuth CA Certificates" -expiration 365 > oxauth-keys.json Depending on version u have change org.gluu.oxauth.util.KeyGenerator to org.xdi.oxauth.util.KeyGenerator Then get content from oxauth-keys.json Then u have use JXexplorer to update in ldap

Post an answer