grails-spring-security-core
grails-spring-security-core copied to clipboard
Published
20 hours ago •
grails
grails
Support for asymmetric algorithms such as RS256
I tried to change the get algorithm to RS256 to match the client.
plugin:
springsecurity:
rest:
token:
generation:
jwt:
algorithm: "RS256"
However, it JwtService only seems to return HS256. Possibly a misconfiguration.
With RS256:
2021-02-24 20:22:02.985 DEBUG --- [nio-8080-exec-9] g.p.s.r.o.DefaultOauthUserDetailsService : Trying to fetch user details for user profile: #Google2Profile# | id: 116054146545922085484 | attributes: {access_token=ya29.A0AfH6SMBVTLBZ8Azk0Tf3AgguCX-FA2hCMRYtdBHXFjhQAvGznYsL5MPdRZHXMx3V75E6Pt7pftWm27h-c7V8vGU_jTiCtWCXIGOSvf0CHTTAmAJYM1eFNV7rkHWr-L5EV7QoWQSZxzwuGhhrDzx3lRMV6wLi, email_verified=true, name=Nathan Dunn, locale=en, given_name=Nathan, family_name=Dunn, [email protected], picture=https://lh3.googleusercontent.com/a-/AOh14GhGuxDSELckm7dyFiMaZDjeS8klg5z9gjGGTIa3=s96-c} | roles: [] | permissions: [] | isRemembered: false | clientName: Google2Client | linkedId: null |
2021-02-24 20:22:02.987 WARN --- [nio-8080-exec-9] g.p.s.u.GormUserDetailsService : User not found: 116054146545922085484
2021-02-24 20:22:02.987 DEBUG --- [nio-8080-exec-9] g.p.s.r.o.DefaultOauthUserDetailsService : User not found. Creating a new one with default roles: [ROLE_USER]
2021-02-24 20:22:02.987 DEBUG --- [nio-8080-exec-9] g.p.s.r.t.g.j.AbstractJwtTokenGenerator : Generating an access token with default expiration: 3600
2021-02-24 20:22:02.987 DEBUG --- [nio-8080-exec-9] g.p.s.r.t.g.j.AbstractJwtTokenGenerator : Serializing the principal received
2021-02-24 20:22:02.988 DEBUG --- [nio-8080-exec-9] g.p.s.r.t.g.j.AbstractJwtTokenGenerator : Setting expiration to 3600
2021-02-24 20:22:02.988 DEBUG --- [nio-8080-exec-9] g.p.s.r.t.g.j.AbstractJwtTokenGenerator : Generated claim set: {"principal":"H4sIAAAAAAAAAJVUS2wbRRge5+U0DSWp1Ko9UFUoVBzq9SN+JEQV9duGdR5+JTFSk2F3vLv27s4yO2uvI1HlgjiCQK2KqLggTq3EsYgb4oQqDq3ggoRAIPVEuSEeQsDMehOnoKpiJI93\/vnf\/\/fN7Ydg0iYgqhCo6bZg6Y6imYJtEc1UbCQ5RKMDgSCbChg6VBXW+N6wETnx0S\/3r5zJPT8GAiI47jDJOsFtTUcUXBAxUcIWlOKdsIQJClvDm3AWGwY2fb0Vl4AYU\/SDtQk0UB+TrnAYltsK3LOMqJcdjwu8FfhrDARbYB5KEnZMuorNvGtpBMktMDeSiVjqctEpid0gk2pQt4+qBpEJX9WRzArgZWEWVWOlgqfFDuzBsEM1PVxDdEUE0xa0bZadTMHJ4aUOTSVcozx1fs\/TNFkFr4GrYMK1Amyxtj7HVQXuR8hiXUcS1bBpLzRMA8taW+PBmf\/9Z96599b7+40xAFhPLj7ZZiQ\/mwH7d6\/8es6bQkCi4PSR1EdqK67Fspkfea4TxCN\/e2P93WsP33xlnEXmGoX\/P4+FtN+5AZuuBQmk+MiMmNv+BP9mzjNPdn4whYFQ0wxLR0UCTYrkwxAjx6zcCYL1g35TcKy6JuZ3GrV81aVgfDWcpuBUNJqMJOLReDIRTyzHYpGlRHwpzjIReCYePn1U+wAVFIwVHcWE4vDfR+qNsy\/\/+cXu9+\/NevO58DjjNZ5mLOIbfffjOWn+1ldvD40WRkZeoQc2jzDiwaUb5sfOwt2hybOPMWmMqPZ66Ifag4vX73MDi3fi5KNTLkFbrUBrMvjNZ5+f3r03DsYKYEbHUC5AiY2pDI5RlXFbxbrsWi9e9po7259m+xz7TVMwy7iEbHuH4i6jD\/hwAGPLQjqSbpeStUqmWRczraX0XjdSby+mFcXJboUK6ZiarVS3qZwpbRU66ka6V9wzt20xUVmXq63SVsVdbKYS+eQ6TVltumnEUmpISjWXesXGTqeuZelmdqtcXKv12pFsqV5PG+mXtitRVFhtpki3tElCYiLfTG3gzY1ay93rO0VVJbk9d1GvVprJvqhRcAIZDJ07PUQYXZB82BLOWCGDGWig+eV5sv\/1zT9+ZkBqgcke1B3ESEvBBOcwBcdXIVWheT7nmKzsKR1LUEfM0dyot6Inu\/rb\/O7NyO8\/jYOpMphWWb8lLCMRBL0niAw8eIpgBrkUmTYnsi+Z5tk4UEH+ecqWiGZR\/xTsQaIx6Pvo\/pstCgA\/LVAwhkzvy9sY2GcUrYfMnWHmU8PMWQltaGj6wBdPDCuZ9FpDwbwps7OBLiv8zPBlUBC0NIk6hJc565VpIio0quXbAVfIflC+Nc45N2V7L94h6zZVSi37hXBYVxd99vAHQsKMtibljsMwFE6vqdF4US06bq6WF6WukZIHBa0CW7kOqi11dSWxt6x0isV6GS5espeTIcl1vUad8UEJDkEJ3H4A\/Bfl7C37NPfGteuf3Il7b1l\/lusfWA+dRf8lpOApn+dZXWPZWu4\/A0Db8A0HAAA=","sub":"116054146545922085484","roles":["ROLE_USER"],"iss":"Spring Security REST Grails Plugin","exp":1614230522,"iat":1614226922}
2021-02-24 20:22:02.988 DEBUG --- [nio-8080-exec-9] g.p.s.r.t.g.j.AbstractJwtTokenGenerator : Generating access token...
2021-02-24 20:22:02.989 DEBUG --- [nio-8080-exec-9] g.p.s.rest.RestOauthController : Redirecting to http://localhost:8080/auth/success?token=&error=500&message=The+%22RS256%22+algorithm+is+not+allowed+or+supported+by+the+JWS+signer%3A+Supported+algorithms%3A+%5BHS256%5D&error_description=The+%22RS256%22+algorithm+is+not+allowed+or+supported+by+the+JWS+signer%3A+Supported+algorithms%3A+%5BHS256%5D&error_code=JOSEException
If I set to HSA256:
2021-02-24 20:24:06.168 DEBUG --- [nio-8080-exec-2] g.p.s.r.o.DefaultOauthUserDetailsService : Trying to fetch user details for user profile: #Google2Profile# | id: 116054146545922085484 | attributes: {access_token=ya29.A0AfH6SMB_0ZRPW5bPJeogy2M-kv20z8WSu5yYKmHoAWGVhJhsg1s4c-z3bX7mgLNxa8iWAn86rD7MBx37eignXSAQt1gOZHTTAQlkq5vzWIaIbCj5qwbjYpwP-Dr6fsPbarWfj23VdBiThIiEvZzdkeT0MlA2, email_verified=true, name=Nathan Dunn, locale=en, given_name=Nathan, family_name=Dunn, [email protected], picture=https://lh3.googleusercontent.com/a-/AOh14GhGuxDSELckm7dyFiMaZDjeS8klg5z9gjGGTIa3=s96-c} | roles: [] | permissions: [] | isRemembered: false | clientName: Google2Client | linkedId: null |
2021-02-24 20:24:06.171 WARN --- [nio-8080-exec-2] g.p.s.u.GormUserDetailsService : User not found: 116054146545922085484
2021-02-24 20:24:06.171 DEBUG --- [nio-8080-exec-2] g.p.s.r.o.DefaultOauthUserDetailsService : User not found. Creating a new one with default roles: [ROLE_USER]
2021-02-24 20:24:06.171 DEBUG --- [nio-8080-exec-2] g.p.s.r.t.g.j.AbstractJwtTokenGenerator : Generating an access token with default expiration: 3600
2021-02-24 20:24:06.171 DEBUG --- [nio-8080-exec-2] g.p.s.r.t.g.j.AbstractJwtTokenGenerator : Serializing the principal received
2021-02-24 20:24:06.171 DEBUG --- [nio-8080-exec-2] g.p.s.r.t.g.j.AbstractJwtTokenGenerator : Setting expiration to 3600
2021-02-24 20:24:06.172 DEBUG --- [nio-8080-exec-2] g.p.s.r.t.g.j.AbstractJwtTokenGenerator : Generated claim set: {"principal":"H4sIAAAAAAAAAJVUS2wbRRge5+U0DSWp1Ko9UFUoVBzqXduxHYeook6cOG7txI3tujVSk\/HueHfs3Z3N7Ky9jkSVC+IIArUqouKCOLUSxyJuiBOqOLSCCxICgdQT5YZ4CAEz602cgqqKkTze+ed\/\/983dx+DUYeCmEYhNhzJNlwNW5JjU2xpDlJcillPoshhEoEu06V1sVcdRI989MvDayeyLw+BUAEcdrmkREkTG4iBMwVCNdmGSqIlK4Qi2e7fyEvENIkV6C14FMS5YhCsSaGJuoS2pf2wwlYSnlXE\/OxEXOCv0F9DIFwH01BRiGuxNWItezamSK2DqYGsQJS2EB1T+A2yGIaGc1A1jCzYMJDKCxBlER4V81LB84UW7EDZZdiQy4gtFMC4DR2HZ6cycLR\/aUBLk8tMpC7uRZoWr2AbXAcjnh3ii7f1JaEqCT\/SEjEMpDBMLGemaplExU0sgnP\/uy+88+Ct93erQwDwnpx9ts1AfnIR7N6\/9uspfwohhYHjB1IfqC14Ns9meuC5QpGI\/O2t0rs3Hr\/52jCPLDRW\/v88ZjJB53p8ujakkJEDM+JuuyPimztffLbzvSn0pDI2bQPlKLQYUvdDDBzzckcoMfb6zcChjfXC8ma1vLzhMTC8JmcYOBaLpaLJRCyRSiaS8\/F4NJ1MpBM8E0lk4uMzQHUAUEkjRDNQXMr1\/wOk3jp58c8vtr5\/b9Kfz5mnGa+LNOPRwOi7H08p03e+ertvNDMw8gvds3mCEY\/O3bI+dmfu901efIpJdUC11yM\/lB+dvflQGNiiE0efnPIqdPQitEfD33z2+fGtB8NgaAVMGASqK1DhY8qDQ0zn3NaJoXr2q+f95k52x\/k+xX\/jDExyLiHH2WSkzekDPuzB+LyUiWaaq6lycXEzWt8o1ZKN0gVEtF68GGl34tGddK3sJntXL5qrJFPLXdYv6I4WcxJKZGe2cWXO1AprHkzjWsZKp2h2rrjozc4hrFlXyplLLKat11crlcwlo72d7OzU8jDfWGolt7uN1lW7W4pkaarplBqQ1pqt+OxldRFX9Dxe7tR31DaqRItGJs7AEWRydG52EOV0Qep+SwRjpUXCQQOtL0\/T3a9v\/\/EzB1IdjHag4SJOWgZGBIcZOLwGmQ6t01nX4mWPGUSBBuKOpga9Lfiy679Nb92O\/v7TMBjLg3Gd91shKiqAsP8E0Z4PzwKYQB5DliOIHEjGRTYu1FBwHnMUim0WnMIdSDGHfoDuv\/liAIjTDANDyPK\/\/I2DfULDHWRt9jMf62fOS2hCExu9QDzSr2TUbw0D05bKzyY6r4kzx5fJQNjGCnOpKHPSL9NCTKpu5O+GPGnpg\/ydYcG5Mcd\/8fZZV9MZs51XZNnQZwP2iAdCIZy2FhOOZRiRM+t6LJHTc66XLS8XlLY5p\/ZWcBHWsy1UTrcNLbkzr7VyuUoezp5z5lMRxfP8Rp0IQAn2QQm8bgj8F+X8Lfs0+8aNm5\/cS\/hvWXdS6O9Z953F\/iVk4LmA50sG5tna3j8q81RpDQcAAA==","sub":"116054146545922085484","roles":["ROLE_USER"],"iss":"Spring Security REST Grails Plugin","exp":1614230646,"iat":1614227046}
2021-02-24 20:24:06.172 DEBUG --- [nio-8080-exec-2] g.p.s.r.t.g.j.AbstractJwtTokenGenerator : Generating access token...
2021-02-24 20:24:06.172 DEBUG --- [nio-8080-exec-2] g.p.s.r.t.g.j.AbstractJwtTokenGenerator : Generating refresh token...
The algorithm parser correctly identifies that RS256 is not an encryption algorithm, but the JwtService incorrectly assumes that every signed JWT is signed with a HMAC algorithm, which RS256 is not. Jose4J also offers an RSASSAVerifier for "RSA Signature-Scheme-with-Appendix (RSASSA)". I don't know the best way for the JwtService to inflect and choose the correct verifier.
Thank you @Trinition . I'll see if we can get this include in the next major release after Grails 7.
