search cancel

Out of the box JWT authentication - Cannot get claims - Invalid Claim

book

Article ID: 202930

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a Policy Server with binaries for UBS JWT, when user
tries to login, the process fails and Policy Server reports error :

  java.lang.IllegalStateException: Cannot get claims - Invalid Claim

How can we fix this ?

 

Environment

 

Policy Server 12.8SP2 on RedHat 6

 

Cause

 

We see the Policy Server reporting an error when processing the JWT
token :

smps.log :

  [2397758/140004339746592][Wed Oct 21 2020
  22:59:32][CServer.cpp:4072][INFO][sm-Server-03550] Version: 12.8;
  Update: 02.00; Build: 1992; CR: 00;

  [2397758/140003688564480][Wed Oct 21 2020
  23:06:41][SmAuthServer.cpp:335][INFO][sm-Server-02750] Loaded
  authentication scheme JWTAuthenticationScheme. Version 1536 . CA SSO JWT
  Authentication Scheme

  [2397758/140003709544192][Wed Oct 21 2020
  23:06:41][SmAuthServer.cpp:364][INFO][sm-Server-02760] Initialized
  authentication scheme JWTAuthenticationScheme

  [2397758/140003709544192][Wed Oct 21 2020
  23:06:41][SmAuthUser.cpp:767][INFO][sm-Server-03580]
  SmJWTAuthScheme:, [Cannot get claims - Invalid Claim]

  [2397758/140003709544192][Wed Oct 21 2020
  23:06:41][SmAuthUser.cpp:767][INFO][sm-Server-03580]
  java.lang.IllegalStateException: Cannot get claims - Invalid Claim

      at com.ca.jwt.nimbus.NimbusJwtTokenParser.getClaimsSet(NimbusJwtTokenParser.java:454)
      at com.ca.sm.jwtauth.SmJWTAuthScheme.disambiguateUser(SmJWTAuthScheme.java:170)
      at com.ca.sm.jwtauth.SmJWTAuthScheme.authenticate(SmJWTAuthScheme.java:86)
      at com.netegrity.policyserver.smapi.SmAuthenticationContext.authenticate(SmAuthenticationContext.java:289)

smtracedefault.log :

  [10/21/2020][23:06:41.680][2397758][140003709544192][SmJWTAuthScheme::  
  parameters :alias=mycompanyname;SES=0;KID=0;SSL=0;PER=0;claim={user.username}]
  [][][][SmAuthUser.cpp:782][ServerTrace][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][]
  [ parameters :alias=mycompanyname;SES=0;KID=0;SSL=0;PER=0;claim={user.username}]
  [][][][][][][][][][]

  [10/21/2020][23:06:41.680][2397758][140003709544192]
  [SmJWTAuthScheme::  parsed values from from Auth Scheme template :
  {SES=0, KID=0, alias=mycompanyname, claim={user.username}, PER=0, SSL=0}][][][]
  [SmAuthUser.cpp:782][ServerTrace][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][]
  [ parsed values from from Auth Scheme template :{SES=0, KID=0, alias=mycompanyname, 
  claim={user.username}, PER=0, SSL=0}][][][][][][][][][][]

  [10/21/2020][23:06:41.680][2397758][140003709544192]
  [SmJWTAuthScheme::  Parsing JWT Request of type SIGNED][][][][SmAuthUser.cpp:782]
  [ServerTrace][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][ Parsing JWT Request of type SIGNED][][][][][][][][][][]

  [10/21/2020][23:06:41.680][2397758][140003709544192]
  [SmJWTAuthScheme::  Cert alias will be used for verification][][][]
  [SmAuthUser.cpp:782][ServerTrace][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][]
  [ Cert alias will be used for verification][][][][][][][][][][]

  [10/21/2020][23:06:41.685][2397758][140003709544192]
  [SmJWTAuthScheme::  JWT Token verified with alias mycompanyname][][][]
  [SmAuthUser.cpp:782][ServerTrace][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][]
  [ JWT Token verified with alias mycompanyname][][][][][][][][][][]

  [10/21/2020][23:06:41.686][2397758][140003709544192]
  [SmJWTAuthScheme::  JWT Token is Valid ][][][][SmAuthUser.cpp:782]
  [ServerTrace][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][ JWT Token is Valid ][][][][][][][][][][]

  [10/21/2020][23:06:41.686][2397758][140003709544192]
  [LogMessage:INFO:[sm-Server-03580] SmJWTAuthScheme:, 
  [Cannot get claims - Invalid Claim]][][][][SmAuthUser.cpp:767][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][]

  [10/21/2020][23:06:41.686][2397758][140003709544192]
  [LogMessage:INFO:[sm-Server-03580] java.lang.IllegalStateException: 
  Cannot get claims - Invalid Claim
      at com.ca.jwt.nimbus.NimbusJwtTokenParser.getClaimsSet(NimbusJwtTokenParser.java:454)
      at com.ca.sm.jwtauth.SmJWTAuthScheme.disambiguateUser(SmJWTAuthScheme.java:170)
      at com.ca.sm.jwtauth.SmJWTAuthScheme.authenticate(SmJWTAuthScheme.java:86)
      at com.netegrity.policyserver.smapi.SmAuthenticationContext.authenticate(SmAuthenticationContext.java:289)

  [10/21/2020][23:06:41.686][2397758][140003709544192]
  [** Status: Authentication Attempt Failed. ][myagent]
  [][][Sm_Auth_Message.cpp:4902][CSm_Auth_Message::SendReply][][]
  [mydomain][myrealm]
  [][][myuserstore][][s3/r37][][][][][][][][][][][]
  [JWTAuthenticationScheme][][][][][][][][][06-0005f667-a822-1ca7-af4f-4425s55qw5a55][][]
  [][][][][][][][][][][][][][][][][][][][]

It appears that the JWT token that is in use violates the JWT RFC. The
specific offending claim in the JWT is the "sub" attribute.

Here is the JWT: 

Decoded token :
 {
  "iss": "Mycompanyname",
  "sub": 422115553133314,
  "aud": "myaudiance",
  "user": {
    "id": 422115553133314,
    "emailAddress": "[email protected]",
    "firstName": "John",
    "lastName": "Smith",
    "displayName": "John Smith",
    "company": "Mycompanyname",
    "companyId": 5058,
    "username": "[email protected]",
    "avatarUrl": "../myavatar.jpg",
    "avatarSmallUrl": "../myavatar.jpg"
  },
  "exp": 1658518851
}

Sub is 422115553133314.  

Sub's format is governed by the JWT RFC: 

   JSON Web Token (JWT)
 
     4.1.2.  "sub" (Subject) Claim

     The "sub" value is a case-sensitive string containing a StringOrURI
     value. Use of this claim is OPTIONAL.

   https://tools.ietf.org/html/rfc7519#page-9

The sub claim value must be encased in quotation marks. The sub claim
is not encased in quotation marks and the JWT parser in SiteMinder
Policy Server errors out on this.

 

Resolution

 

Raise a defect with the application/organization that has created the
JWT to fix the format of the sub claim to solve this issue.