oidc validation issues

Steve Herrera sherrera at mail.bradley.edu
Thu Jun 11 21:13:55 UTC 2020 

We are running Ubuntu 16.04 and shibboleth 3.4.4. We just recently
installed the OpenIDconnect extension. The issue we are having is our
vendor not being able to validate our signature. Here are the logs from the
vendor:

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException:
IDX10503: Signature validation failed. Keys tried:
'Microsoft.IdentityModel.Tokens.RsaSecurityKey , KeyId: defaultRSASign
'.
Exceptions caught:
 ''.
token:
'{"alg":"RS256"}.{"at_hash":"MQ9mmGD21TGUZoi7upGWsA","sub":"QRTJVALNIMC5DD6AUN5UY5524AROJ6QT","aud":"tada_rp","auth_time":1591204281,"iss":"
https://logon.bradley.edu/idp/shibboleth
","exp":1591207882,"iat":1591204282,"nonce":"637268010769333171.MmVmNDFhNzgtY2I0OS00ZGMyLWE4NTQtNjRjNWJhNmI0NDMyNzU1Njg0NWEtMjlhNy00YTMyLWFiZTYtMDU3NjVlOTI0YTk1"}'.
   at
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String
token, TokenValidationParameters validationParameters) in
C:\agent2\_work\15\s\src\System.IdentityModel.Tokens.Jwt\JwtSecurityTokenHandler.cs:line
1009
   at
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String
token, TokenValidationParameters validationParameters, SecurityToken&
validatedToken) in
C:\agent2\_work\15\s\src\System.IdentityModel.Tokens.Jwt\JwtSecurityTokenHandler.cs:line
746
   at
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.ValidateToken(String
idToken, AuthenticationProperties properties, TokenValidationParameters
validationParameters, JwtSecurityToken& jwt)
   at
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()

   System.Exception: An error was encountered while handling the remote
login. --->
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException:
IDX10503: Signature validation failed. Keys tried:
'Microsoft.IdentityModel.Tokens.RsaSecurityKey , KeyId: defaultRSASign
'.
Exceptions caught:
 ''.
token:
'{"alg":"RS256"}.{"at_hash":"MQ9mmGD21TGUZoi7upGWsA","sub":"QRTJVALNIMC5DD6AUN5UY5524AROJ6QT","aud":"tada_rp","auth_time":1591204281,"iss":"
https://logon.bradley.edu/idp/shibboleth
","exp":1591207882,"iat":1591204282,"nonce":"637268010769333171.MmVmNDFhNzgtY2I0OS00ZGMyLWE4NTQtNjRjNWJhNmI0NDMyNzU1Njg0NWEtMjlhNy00YTMyLWFiZTYtMDU3NjVlOTI0YTk1"}'.
   at
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String
token, TokenValidationParameters validationParameters) in
C:\agent2\_work\15\s\src\System.IdentityModel.Tokens.Jwt\JwtSecurityTokenHandler.cs:line
1009
   at
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String
token, TokenValidationParameters validationParameters, SecurityToken&
validatedToken) in
C:\agent2\_work\15\s\src\System.IdentityModel.Tokens.Jwt\JwtSecurityTokenHandler.cs:line
746
   at
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.ValidateToken(String
idToken, AuthenticationProperties properties, TokenValidationParameters
validationParameters, JwtSecurityToken& jwt)
   at
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
   --- End of inner exception stack trace ---
   at
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at
IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync()
in
C:\local\identity\server4\IdentityServer4\src\Hosting\FederatedSignOut\AuthenticationRequestHandlerWrapper.cs:line
38
   at
Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext
context)
   at
Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.Invoke(HttpContext
context)
   at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context)
in
C:\local\identity\server4\IdentityServer4\src\Hosting\BaseUrlMiddleware.cs:line
36
   at
Microsoft.AspNetCore.Builder.Extensions.MapMiddleware.Invoke(HttpContext
context)
   at
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext
context)



Our IDP Configuration:
Aside from the installation instructions, we added this into the
relying-party.xml:

        <bean parent="RelyingPartyByName" c:relyingPartyIds="tada_rp" >

            <property name="profileConfigurations">

                <list>

                    <bean parent="OIDC.SSO" p:tokenEndpointAuthMethods=
"none" />

                    <bean parent="OIDC.UserInfo"/>

                    <bean parent="OAUTH2.Revocation"/>

                </list>

            </property>

        </bean>


For the metadata file we have:

    "scope":"openid tadaprofile",

    "redirect_uris":["Redacted"],

    "client_id":"tada_rp",

    "client_secret":"Redacted",

    "response_types":["id_token token"],

    "token_endpoint_auth_method":"none",

    "grant_types":["authorization_code"]


I did not see any errors in our logs. I do see the release of attributes to
the SP. I've read through the install instructions again, checked
permissions. Is there a setting that I need to turn on that I missed?


Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200611/edceedb6/attachment.htm>

More information about the users mailing list