Search code examples
casapereo

Cipher "clientSecret" params in OAuth2 JWT Token CAS Apereo version 6.1.7

I follow this instruction to cipher "clientSecret" params in OAuth2 JWT Token with CAS Apereo 6.1 https://apereo.github.io/2019/11/04/cas62x-oauth-jwt-access-token/

Step 1: Using CAS Shell to cipher clientSecret

root@ubuntu16:~/lam/cas-overlay-template# ./gradlew downloadShell runShell
root@ubuntu16:~/lam/cas-overlay-template# java -jar build/libs/cas-server-support-shell-6.1.7.jar
cas>encrypt-value value exampleOauthClientSecret alg PBEWithMD5AndTripleDES provider SunJCE password Vnpt@123 iterations 1000
==== Encrypted Value ====
{cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg==
cas>decrypt-value value {cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg== alg PBEWithMD5AndTripleDES provider SunJCE password Vnpt@123 iterations 1000

==== Decrypted Value ====
exampleOauthClientSecret

Step 2: I make service registration like this

root@ubuntu16:/etc/cas/services-repo# cat OAuthJWTService-3.json
{
    "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
    "clientId": "exampleOauthClient",
   #"clientSecret": "exampleOauthClientSecret",
    "clientSecret": "{cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg==",
    "serviceId" : "^https://cascore.vdc2.com.vn:9999/.*",
    "name" : "OAuthJWTService",
    "id" : 3,
    "jwtAccessToken": true,
    "attributeReleasePolicy" : {
        "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
        "allowedAttributes" : [ "java.util.ArrayList", ["comdepartment","comid","lastname","usercode","userdate","useremail","userparentid","userstatus","usertel","usertype" ] ]
 },
        "properties" : {
        "@class" : "java.util.HashMap",
        "accessTokenAsJwtSigningKey" : {
            "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
            "values" : [ "java.util.HashSet", [ "CoSfJ2WweU-cWcUYSjW2PWLVLd9hIVG0xxjFFUHSUbCjkkNiwPli_WlqF9V2MHJH3SGH_4DifSYxlgs98h4snA" ] ]
  },
            "accessTokenAsJwtEncryptionKey" : {
            "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
            "values" : [ "java.util.HashSet", [ "_3gpqpSiIEjHT0xlscGvgDr0-iPIeeEeyecfFgbg_5E" ] ]
      },
      "accessTokenAsJwtSigningEnabled" : {
           "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
           "values" : [ "java.util.HashSet", [ "true" ] ]
      },
      "accessTokenAsJwtEncryptionEnabled" : {
           "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
           "values" : [ "java.util.HashSet", [ "true" ] ]
      },
      "accessTokenAsJwtCipherStrategyType" : {
          "@class" : "org.apereo.cas.services.DefaultRegisteredServiceProperty",
           "values" : [ "java.util.HashSet", [ "SIGN_AND_ENCRYPT" ] ]
      }
   }
}

Step 3: I config CAS Apereo global like this (my global config store in MongoDB)

{"_id":{"$oid":"5f058f62ee9a446824d4adf3"},"name":"org.apereo.cas.standalone.configurationSecurity.alg","value":"PBEWithMD5AndTripleDES"}
{"_id":{"$oid":"5f058f79ee9a446824d4adf4"},"name":"org.apereo.cas.standalone.configurationSecurity.provider","value":"SunJCE"}
{"_id":{"$oid":"5f058f8aee9a446824d4adf5"},"name":"org.apereo.cas.standalone.configurationSecurity.iterations","value":"1000"}
{"_id":{"$oid":"5f058f9dee9a446824d4adf6"},"name":"org.apereo.cas.standalone.configurationSecurity.psw","value":"Vnpt@123"}

Step 4: I rebuild CAS Step 5: I call API to create JWT token like this

curl https://cascore.vdc2.com.vn:8443/cas/oauth2.0/token?grant_type=password'&'client_id=exampleOauthClient'&'client_secret=exampleOauthClientSecret'&'username=abc'&'password=Vnpt@123 | jq

But It shows this problem

{
  "@class": "java.util.LinkedHashMap",
  "timestamp": [
     "java.util.Date",
      1594370510760
   ],
  "status": 401,
  "error": "Unauthorized",
  "message": "No message available",
  "path": "/cas/oauth2.0/token"
}

I try agin with this

curl https://cascore.vdc2.com.vn:8443/cas/oauth2.0/token?grant_type=password'&'client_id=exampleOauthClient'&'client_secret={cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg=='&'username=abc'&'password=Vnpt@123 | jq

But it shows this error again

{
  "@class": "java.util.LinkedHashMap",
  "timestamp": [
     "java.util.Date",
     1594370510760
  ],
     "status": 401,
     "error": "Unauthorized",
     "message": "No message available",
     "path": "/cas/oauth2.0/token"
}

Finally, I try change param to plain text in registration file from "clientSecret": "{cas-cipher}La813rUHz0m2XM/DwqjvGtHPX+l8XtMzI80UGXH24uDMGXCqsAYFfg==", to "clientSecret": "exampleOauthClientSecret",

It works and gives me JWT token.

Please help me.

Thanks

Solution

  • I follow this instruction to cipher "clientSecret" params in OAuth2 JWT Token with CAS Apereo 6.1

    If you read the blog post at the link you shared carefully, you'll note that:

    Our starting position is based on:

    • CAS 6.2.x

    So that's probably why the instructions do not work for you.