topic Requesting-an-access-token-with-a-jwt - SOLVED in Nuxeo Forum

Requesting-an-access-token-with-a-jwt - SOLVED

freemann_ — Fri, 05 Apr 2019 10:32:58 GMT

Hi people,

According Oauth2 FLOW https://doc.nuxeo.com/nxdoc/using-oauth2/#requesting-an-access-token-with-a-jwt, I tried to get access token by testing Access Token with a JWT with my Postman but I have some exceptions server side. Here How I declared Oauth2 client serveur side :

Here is My Postman

Here is the server logs

2019-04-05T12:14:44,334 ERROR [https-jsse-nio-0.0.0.0-8443-exec-3] [nuxeo-error-log] javax.servlet.ServletException: java.lang.NullPointerException
	at org.nuxeo.ecm.platform.web.common.requestcontroller.filter.NuxeoRequestControllerFilter.doFilter(NuxeoRequestControllerFilter.java:145)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:209)
	at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:244)
	Caused by: java.lang.NullPointerException
	at org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet.doPostToken(NuxeoOAuth2Servlet.java:358)
	at org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet.doPost(NuxeoOAuth2Servlet.java:121)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)

Thanks for help

Re: Requesting-an-access-token-with-a-jwt - SOLVED

freemann_ — Fri, 05 Apr 2019 12:19:16 GMT

Hi,

When in my postman I delete parameter grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer', I get server side this exception : 2019-04-05T14:11:35,871 WARN [https-jsse-nio-0.0.0.0-8443-exec-7] [org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet] OAuth2 token request error: OAuth2Error(id=unsupported_grant_type, description=Unknown grant_type: got "null", expecting "authorization_code" or "refresh_token".)

It seems that this type of grant_type urn:ietf:params:oauth:grant-type:jwt-bearer describe in this https://doc.nuxeo.com/nxdoc/using-oauth2/#requesting-an-access-token-with-a-jwt is not supported in nuxeo 10.10 or not implement yet ? I see in code package org.nuxeo.ecm.platform.oauth2 theses constants

public static final String TOKEN_SERVICE = "org.nuxeo.server.token.store";
036
037    public static final String RESPONSE_TYPE_PARAM = "response_type";
038
039    public static final String CODE_RESPONSE_TYPE = "code";
040
041    public static final String SCOPE_PARAM = "scope";
042
043    public static final String STATE_PARAM = "state";
044
045    public static final String CLIENT_ID_PARAM = "client_id";
046
047    public static final String CLIENT_SECRET_PARAM = "client_secret";
048
049    public static final String REDIRECT_URI_PARAM = "redirect_uri";
050
051    public static final String REDIRECT_URL_PARAM = "redirect_url";
052
053    public static final String AUTHORIZATION_CODE_PARAM = "code";
054
055    public static final String REFRESH_TOKEN_PARAM = "refresh_token";
056
057    public static final String GRANT_TYPE_PARAM = "grant_type";
058
059    public static final String AUTHORIZATION_CODE_GRANT_TYPE = "authorization_code";
060
061    public static final String REFRESH_TOKEN_GRANT_TYPE = "refresh_token";
062
063    /** --------------------------- PKCE --------------------------- */
064    public static final String CODE_CHALLENGE_PARAM = "code_challenge";
065
066    public static final String CODE_CHALLENGE_METHOD_PARAM = "code_challenge_method";
067
068    public static final String CODE_VERIFIER_PARAM = "code_verifier";
069
070    public static final String CODE_CHALLENGE_METHOD_PLAIN = "plain";
071
072    public static final String CODE_CHALLENGE_METHOD_S256 = "S256";
073
074    public static final List<String> CODE_CHALLENGE_METHODS_SUPPORTED = Arrays.asList(CODE_CHALLENGE_METHOD_PLAIN,
075            CODE_CHALLENGE_METHOD_S256);

No assertion Thanks

Re: Requesting-an-access-token-with-a-jwt - SOLVED

Thomas_Roger — Fri, 05 Apr 2019 12:23:18 GMT

The JWT OAuth2 flow is only supported since 10.10-HF02, not before.

Re: Requesting-an-access-token-with-a-jwt - SOLVED

Kevin_Leturc — Fri, 05 Apr 2019 12:26:51 GMT

Hello,

I saw on your screenhost that the exception came from [here](https://github.com/nuxeo/nuxeo/blob/10.10/nuxeo-features/nuxeo-platform-oauth/src/main/java/org/nuxeo/ecm/platform/oauth2/NuxeoOAuth2Servlet.java#L358 which means that either you don't have set the jwt secret (nuxeo.jwt.secret in nuxeo.conf) or your token is not valid.

I created NXP-27175 to improve error handling.

Re: Requesting-an-access-token-with-a-jwt - SOLVED

freemann_ — Fri, 05 Apr 2019 12:29:39 GMT

Hi Thomas Roger,

I am running HF03.

Thanks

Re: Requesting-an-access-token-with-a-jwt - SOLVED

freemann_ — Fri, 05 Apr 2019 12:34:25 GMT

Hi Kevin Leturc , I have this parameter in my nuxeo.conf nuxeo.jwt.secret=OTQ5YTI3MmI0ZDBmNGV....., So I don't understand why nuxeo not read it ?

Thanks

Re: Requesting-an-access-token-with-a-jwt - SOLVED

freemann_ — Fri, 05 Apr 2019 12:43:05 GMT

Kevin Leturc ,

In https://github.com/nuxeo/nuxeo/blob/10.10/nuxeo-features/nuxeo-platform-oauth/src/main/java/org/nuxeo/ecm/platform/oauth2/Constants.java I see :

/** @since 11.1 */
public static final String ASSERTION_PARAM = "assertion";

/** @since 11.1 */
public static final String JWT_BEARER_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";

It's a confirmation that the jwt grant_type does not exist in 10.10 or HF02 ?

Re: Requesting-an-access-token-with-a-jwt - SOLVED

Kevin_Leturc — Fri, 05 Apr 2019 12:49:51 GMT

Please use comment feature instead of answer one, it's easier to follow.

Re: Requesting-an-access-token-with-a-jwt - SOLVED

freemann_ — Fri, 05 Apr 2019 12:53:49 GMT

As you can see on my answer to [Thomas Roger](https

Re: Requesting-an-access-token-with-a-jwt - SOLVED

Kevin_Leturc — Fri, 05 Apr 2019 13:00:29 GMT

Ok,

Re: Requesting-an-access-token-with-a-jwt - SOLVED

Kevin_Leturc — Fri, 05 Apr 2019 13:00:33 GMT

Please read my previous comment below

Re: Requesting-an-access-token-with-a-jwt - SOLVED

freemann_ — Fri, 05 Apr 2019 13:06:54 GMT

Here is TRACE of JWTServiceImpl

Re: Requesting-an-access-token-with-a-jwt - SOLVED

Kevin_Leturc — Fri, 05 Apr 2019 13:12:50 GMT

Do you generate the token with Nuxeo? Cause Nuxeo uses only HMAC512 algorithm to generate jwt tokens and regarding the error you get it's not the algorithm used in your jwt token.

Re: Requesting-an-access-token-with-a-jwt - SOLVED

Kevin_Leturc — Fri, 05 Apr 2019 13:31:00 GMT

There's no customisation on this part inside Nuxeo. We use HmacSHA512 algorithm (HS512) to generate and verify tokens, you need to generate a JWT token with this algorithm and the nuxeo issuer in the claim (iss).

Re: Requesting-an-access-token-with-a-jwt - SOLVED

freemann_ — Fri, 05 Apr 2019 13:32:13 GMT

It would be interesting to add a new parameter in nuxeo.conf like nuxeo.jwt.alg = HS256 | HS384 | HS512

Re: Requesting-an-access-token-with-a-jwt - SOLVED

freemann_ — Fri, 05 Apr 2019 13:33:00 GMT

My jwt use HS256 Algorithm and shared secret base64 encoded, see in https

Re: Requesting-an-access-token-with-a-jwt - SOLVED

Florent_Guillau — Fri, 05 Apr 2019 13:35:29 GMT

We see no reason to allow weaker algorithms.

Re: Requesting-an-access-token-with-a-jwt - SOLVED

freemann_ — Fri, 05 Apr 2019 13:42:04 GMT

I think it's the responsibility to users to use weaker or strong algorithms. I this case, We must update all our APIS to fit in nuxeo strategy. Users can have choice to update later their app

Re: Requesting-an-access-token-with-a-jwt - SOLVED

freemann_ — Mon, 15 Apr 2019 12:16:51 GMT

Hi [Kevin Leturc](https

Re: Requesting-an-access-token-with-a-jwt - SOLVED

freemann_ — Mon, 15 Apr 2019 14:50:38 GMT

Hi,