Greetings, I was doing a prototype of using CAS 7.1.2 to act as a provider
for the Oauth Token Exchange flow. In my prototype I had established a
service with the client_credentials flow so that I could easily retrieve an
access token to use for the subject_token.
In my first attempt I had provided a JWT token with a subject_token_type
of urn:ietf:params:oauth:token-type:jwt and I recieved an error stating
that it was an invalid ticket like so:
2024-12-27 16:06:59,279 ERROR
[org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController]
- <INVALID_TICKET
AbstractTicketRegistry.java:getTicket:121
DirectMethodHandleAccessor.java:invoke:103
Method.java:invoke:580
AopUtils.java:invokeJoinpointUsingReflection:355
I then changed my subject token to an opaque token and was able to get the
exchange to work.
The next thing I tried was to supply the subject_token_type
of urn:ietf:params:oauth:token-type:jwt and provide a jwt token as the
subject_token. This time I bypassed the above error and encountered an
issue where the CAS Token validator was expecting the "nbf" claim to be on
the JWT. I looked through the code and documentation and could not find any
ways to add the "nbf" claim into the JWT token. All of the JWT tokens I had
generated from CAS using the client_credentials grant.
2024-12-27 13:33:52,652 ERROR
[org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController]
- <JWT missing required claims: [nbf]>
com.nimbusds.jwt.proc.BadJWTException: JWT missing required claims: [nbf]
at
com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier.verify(DefaultJWTClaimsVerifier.java:311)
at
org.apereo.cas.support.oauth.validator.token.OAuth20TokenExchangeGrantTypeTokenRequestValidator.extractRegisteredService(OAuth20TokenExchangeGrantTypeTokenRequestValidator.java:87)
at
org.apereo.cas.support.oauth.validator.token.OAuth20TokenExchangeGrantTypeTokenRequestValidator.validateInternal(OAuth20TokenExchangeGrantTypeTokenRequestValidator.java:53)
at
org.apereo.cas.support.oauth.validator.token.BaseOAuth20TokenRequestValidator.validate(BaseOAuth20TokenRequestValidator.java:72)
at
org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController.verifyAccessTokenRequest(OAuth20AccessTokenEndpointController.java:217)
at
org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController.handleRequest(OAuth20AccessTokenEndpointController.java:100)
at
java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
at java.base/java.lang.reflect.Method.invoke(Method.java:580)
>From this I am ultimately trying to understand if CAS can be configured to
support the token exchange grant when using JWT access tokens as the
subject_token?
Let me know if I can provide any additional information.
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8423ee4e-8451-44ea-863d-fd98c50dc6fbn%40apereo.org.
