Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for asymmetric algorithms such as RS256 #490

Open
nathandunn opened this issue Feb 25, 2021 · 4 comments
Open

Support for asymmetric algorithms such as RS256 #490

nathandunn opened this issue Feb 25, 2021 · 4 comments
Assignees

Comments

@nathandunn
Copy link

I tried to change the get algorithm to RS256 to match the client.

    plugin:
        springsecurity:
            rest:
                token:
                    generation:
                        jwt:
                            algorithm: "RS256"

However, it JwtService only seems to return HS256. Possibly a misconfiguration.

@nathandunn nathandunn changed the title There is no support for RS256 Added support for RS256 Feb 25, 2021
@nathandunn
Copy link
Author

With RS256:

2021-02-24 20:22:02.985 DEBUG --- [nio-8080-exec-9] g.p.s.r.o.DefaultOauthUserDetailsService : Trying to fetch user details for user profile: #Google2Profile# | id: 116054146545922085484 | attributes: {access_token=ya29.A0AfH6SMBVTLBZ8Azk0Tf3AgguCX-FA2hCMRYtdBHXFjhQAvGznYsL5MPdRZHXMx3V75E6Pt7pftWm27h-c7V8vGU_jTiCtWCXIGOSvf0CHTTAmAJYM1eFNV7rkHWr-L5EV7QoWQSZxzwuGhhrDzx3lRMV6wLi, email_verified=true, name=Nathan Dunn, locale=en, given_name=Nathan, family_name=Dunn, [email protected], picture=https://lh3.googleusercontent.com/a-/AOh14GhGuxDSELckm7dyFiMaZDjeS8klg5z9gjGGTIa3=s96-c} | roles: [] | permissions: [] | isRemembered: false | clientName: Google2Client | linkedId: null |
2021-02-24 20:22:02.987  WARN --- [nio-8080-exec-9] g.p.s.u.GormUserDetailsService           : User not found: 116054146545922085484
2021-02-24 20:22:02.987 DEBUG --- [nio-8080-exec-9] g.p.s.r.o.DefaultOauthUserDetailsService : User not found. Creating a new one with default roles: [ROLE_USER]
2021-02-24 20:22:02.987 DEBUG --- [nio-8080-exec-9] g.p.s.r.t.g.j.AbstractJwtTokenGenerator  : Generating an access token with default expiration: 3600
2021-02-24 20:22:02.987 DEBUG --- [nio-8080-exec-9] g.p.s.r.t.g.j.AbstractJwtTokenGenerator  : Serializing the principal received
2021-02-24 20:22:02.988 DEBUG --- [nio-8080-exec-9] g.p.s.r.t.g.j.AbstractJwtTokenGenerator  : Setting expiration to 3600
2021-02-24 20:22:02.988 DEBUG --- [nio-8080-exec-9] g.p.s.r.t.g.j.AbstractJwtTokenGenerator  : Generated claim set: {"principal":"H4sIAAAAAAAAAJVUS2wbRRge5+U0DSWp1Ko9UFUoVBzq9SN+JEQV9duGdR5+JTFSk2F3vLv27s4yO2uvI1HlgjiCQK2KqLggTq3EsYgb4oQqDq3ggoRAIPVEuSEeQsDMehOnoKpiJI93\/vnf\/\/fN7Ydg0iYgqhCo6bZg6Y6imYJtEc1UbCQ5RKMDgSCbChg6VBXW+N6wETnx0S\/3r5zJPT8GAiI47jDJOsFtTUcUXBAxUcIWlOKdsIQJClvDm3AWGwY2fb0Vl4AYU\/SDtQk0UB+TrnAYltsK3LOMqJcdjwu8FfhrDARbYB5KEnZMuorNvGtpBMktMDeSiVjqctEpid0gk2pQt4+qBpEJX9WRzArgZWEWVWOlgqfFDuzBsEM1PVxDdEUE0xa0bZadTMHJ4aUOTSVcozx1fs\/TNFkFr4GrYMK1Amyxtj7HVQXuR8hiXUcS1bBpLzRMA8taW+PBmf\/9Z96599b7+40xAFhPLj7ZZiQ\/mwH7d6\/8es6bQkCi4PSR1EdqK67Fspkfea4TxCN\/e2P93WsP33xlnEXmGoX\/P4+FtN+5AZuuBQmk+MiMmNv+BP9mzjNPdn4whYFQ0wxLR0UCTYrkwxAjx6zcCYL1g35TcKy6JuZ3GrV81aVgfDWcpuBUNJqMJOLReDIRTyzHYpGlRHwpzjIReCYePn1U+wAVFIwVHcWE4vDfR+qNsy\/\/+cXu9+\/NevO58DjjNZ5mLOIbfffjOWn+1ldvD40WRkZeoQc2jzDiwaUb5sfOwt2hybOPMWmMqPZ66Ifag4vX73MDi3fi5KNTLkFbrUBrMvjNZ5+f3r03DsYKYEbHUC5AiY2pDI5RlXFbxbrsWi9e9po7259m+xz7TVMwy7iEbHuH4i6jD\/hwAGPLQjqSbpeStUqmWRczraX0XjdSby+mFcXJboUK6ZiarVS3qZwpbRU66ka6V9wzt20xUVmXq63SVsVdbKYS+eQ6TVltumnEUmpISjWXesXGTqeuZelmdqtcXKv12pFsqV5PG+mXtitRVFhtpki3tElCYiLfTG3gzY1ay93rO0VVJbk9d1GvVprJvqhRcAIZDJ07PUQYXZB82BLOWCGDGWig+eV5sv\/1zT9+ZkBqgcke1B3ESEvBBOcwBcdXIVWheT7nmKzsKR1LUEfM0dyot6Inu\/rb\/O7NyO8\/jYOpMphWWb8lLCMRBL0niAw8eIpgBrkUmTYnsi+Z5tk4UEH+ecqWiGZR\/xTsQaIx6Pvo\/pstCgA\/LVAwhkzvy9sY2GcUrYfMnWHmU8PMWQltaGj6wBdPDCuZ9FpDwbwps7OBLiv8zPBlUBC0NIk6hJc565VpIio0quXbAVfIflC+Nc45N2V7L94h6zZVSi37hXBYVxd99vAHQsKMtibljsMwFE6vqdF4US06bq6WF6WukZIHBa0CW7kOqi11dSWxt6x0isV6GS5espeTIcl1vUad8UEJDkEJ3H4A\/Bfl7C37NPfGteuf3Il7b1l\/lusfWA+dRf8lpOApn+dZXWPZWu4\/A0Db8A0HAAA=","sub":"116054146545922085484","roles":["ROLE_USER"],"iss":"Spring Security REST Grails Plugin","exp":1614230522,"iat":1614226922}
2021-02-24 20:22:02.988 DEBUG --- [nio-8080-exec-9] g.p.s.r.t.g.j.AbstractJwtTokenGenerator  : Generating access token...
2021-02-24 20:22:02.989 DEBUG --- [nio-8080-exec-9] g.p.s.rest.RestOauthController           : Redirecting to http://localhost:8080/auth/success?token=&error=500&message=The+%22RS256%22+algorithm+is+not+allowed+or+supported+by+the+JWS+signer%3A+Supported+algorithms%3A+%5BHS256%5D&error_description=The+%22RS256%22+algorithm+is+not+allowed+or+supported+by+the+JWS+signer%3A+Supported+algorithms%3A+%5BHS256%5D&error_code=JOSEException

If I set to HSA256:

2021-02-24 20:24:06.168 DEBUG --- [nio-8080-exec-2] g.p.s.r.o.DefaultOauthUserDetailsService : Trying to fetch user details for user profile: #Google2Profile# | id: 116054146545922085484 | attributes: {access_token=ya29.A0AfH6SMB_0ZRPW5bPJeogy2M-kv20z8WSu5yYKmHoAWGVhJhsg1s4c-z3bX7mgLNxa8iWAn86rD7MBx37eignXSAQt1gOZHTTAQlkq5vzWIaIbCj5qwbjYpwP-Dr6fsPbarWfj23VdBiThIiEvZzdkeT0MlA2, email_verified=true, name=Nathan Dunn, locale=en, given_name=Nathan, family_name=Dunn, [email protected], picture=https://lh3.googleusercontent.com/a-/AOh14GhGuxDSELckm7dyFiMaZDjeS8klg5z9gjGGTIa3=s96-c} | roles: [] | permissions: [] | isRemembered: false | clientName: Google2Client | linkedId: null |
2021-02-24 20:24:06.171  WARN --- [nio-8080-exec-2] g.p.s.u.GormUserDetailsService           : User not found: 116054146545922085484
2021-02-24 20:24:06.171 DEBUG --- [nio-8080-exec-2] g.p.s.r.o.DefaultOauthUserDetailsService : User not found. Creating a new one with default roles: [ROLE_USER]
2021-02-24 20:24:06.171 DEBUG --- [nio-8080-exec-2] g.p.s.r.t.g.j.AbstractJwtTokenGenerator  : Generating an access token with default expiration: 3600
2021-02-24 20:24:06.171 DEBUG --- [nio-8080-exec-2] g.p.s.r.t.g.j.AbstractJwtTokenGenerator  : Serializing the principal received
2021-02-24 20:24:06.171 DEBUG --- [nio-8080-exec-2] g.p.s.r.t.g.j.AbstractJwtTokenGenerator  : Setting expiration to 3600
2021-02-24 20:24:06.172 DEBUG --- [nio-8080-exec-2] g.p.s.r.t.g.j.AbstractJwtTokenGenerator  : Generated claim set: {"principal":"H4sIAAAAAAAAAJVUS2wbRRge5+U0DSWp1Ko9UFUoVBzqXduxHYeook6cOG7txI3tujVSk\/HueHfs3Z3N7Ky9jkSVC+IIArUqouKCOLUSxyJuiBOqOLSCCxICgdQT5YZ4CAEz602cgqqKkTze+ed\/\/983dx+DUYeCmEYhNhzJNlwNW5JjU2xpDlJcillPoshhEoEu06V1sVcdRI989MvDayeyLw+BUAEcdrmkREkTG4iBMwVCNdmGSqIlK4Qi2e7fyEvENIkV6C14FMS5YhCsSaGJuoS2pf2wwlYSnlXE\/OxEXOCv0F9DIFwH01BRiGuxNWItezamSK2DqYGsQJS2EB1T+A2yGIaGc1A1jCzYMJDKCxBlER4V81LB84UW7EDZZdiQy4gtFMC4DR2HZ6cycLR\/aUBLk8tMpC7uRZoWr2AbXAcjnh3ii7f1JaEqCT\/SEjEMpDBMLGemaplExU0sgnP\/uy+88+Ct93erQwDwnpx9ts1AfnIR7N6\/9uspfwohhYHjB1IfqC14Ns9meuC5QpGI\/O2t0rs3Hr\/52jCPLDRW\/v88ZjJB53p8ujakkJEDM+JuuyPimztffLbzvSn0pDI2bQPlKLQYUvdDDBzzckcoMfb6zcChjfXC8ma1vLzhMTC8JmcYOBaLpaLJRCyRSiaS8\/F4NJ1MpBM8E0lk4uMzQHUAUEkjRDNQXMr1\/wOk3jp58c8vtr5\/b9Kfz5mnGa+LNOPRwOi7H08p03e+ertvNDMw8gvds3mCEY\/O3bI+dmfu901efIpJdUC11yM\/lB+dvflQGNiiE0efnPIqdPQitEfD33z2+fGtB8NgaAVMGASqK1DhY8qDQ0zn3NaJoXr2q+f95k52x\/k+xX\/jDExyLiHH2WSkzekDPuzB+LyUiWaaq6lycXEzWt8o1ZKN0gVEtF68GGl34tGddK3sJntXL5qrJFPLXdYv6I4WcxJKZGe2cWXO1AprHkzjWsZKp2h2rrjozc4hrFlXyplLLKat11crlcwlo72d7OzU8jDfWGolt7uN1lW7W4pkaarplBqQ1pqt+OxldRFX9Dxe7tR31DaqRItGJs7AEWRydG52EOV0Qep+SwRjpUXCQQOtL0\/T3a9v\/\/EzB1IdjHag4SJOWgZGBIcZOLwGmQ6t01nX4mWPGUSBBuKOpga9Lfiy679Nb92O\/v7TMBjLg3Gd91shKiqAsP8E0Z4PzwKYQB5DliOIHEjGRTYu1FBwHnMUim0WnMIdSDGHfoDuv\/liAIjTDANDyPK\/\/I2DfULDHWRt9jMf62fOS2hCExu9QDzSr2TUbw0D05bKzyY6r4kzx5fJQNjGCnOpKHPSL9NCTKpu5O+GPGnpg\/ydYcG5Mcd\/8fZZV9MZs51XZNnQZwP2iAdCIZy2FhOOZRiRM+t6LJHTc66XLS8XlLY5p\/ZWcBHWsy1UTrcNLbkzr7VyuUoezp5z5lMRxfP8Rp0IQAn2QQm8bgj8F+X8Lfs0+8aNm5\/cS\/hvWXdS6O9Z953F\/iVk4LmA50sG5tna3j8q81RpDQcAAA==","sub":"116054146545922085484","roles":["ROLE_USER"],"iss":"Spring Security REST Grails Plugin","exp":1614230646,"iat":1614227046}
2021-02-24 20:24:06.172 DEBUG --- [nio-8080-exec-2] g.p.s.r.t.g.j.AbstractJwtTokenGenerator  : Generating access token...
2021-02-24 20:24:06.172 DEBUG --- [nio-8080-exec-2] g.p.s.r.t.g.j.AbstractJwtTokenGenerator  : Generating refresh token...

@Trinition
Copy link

The algorithm parser correctly identifies that RS256 is not an encryption algorithm, but the JwtService incorrectly assumes that every signed JWT is signed with a HMAC algorithm, which RS256 is not. Jose4J also offers an RSASSAVerifier for "RSA Signature-Scheme-with-Appendix (RSASSA)". I don't know the best way for the JwtService to inflect and choose the correct verifier.

@Trinition
Copy link

There is another issue for this seeking pull requests.

@jdaugherty jdaugherty changed the title Added support for RS256 Support for asymmetric algorithms such as RS256 Sep 27, 2024
@jdaugherty
Copy link
Contributor

Thank you @Trinition . I'll see if we can get this include in the next major release after Grails 7.

@jdaugherty jdaugherty self-assigned this Sep 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants