Calling Developers!
We are reenergizing our code contribution process! Learn More

What are the Slack Archives?

It’s a history of our time together in the Slack Community! There’s a ton of knowledge in here, so feel free to search through the archives for a possible answer to your question.

Because this space is not active, you won’t be able to create a new post or comment here. If you have a question or want to start a discussion about something, head over to our categories and pick one to post in! You can always refer back to a post from Slack Archives if needed; just copy the link to use it as a reference..

Hi all, we did upgrade to release 202204 and added the `BearerTokenAuthorizationValidatorPlugin` to

Options
daniel183
daniel183 Spryker Solution Partner Posts: 13 🧑🏻‍🚀 - Cadet

Hi all,
we did upgrade to release 202204 and added the BearerTokenAuthorizationValidatorPlugin to the OauthDependencyProvider see https://github.com/spryker-shop/b2c-demo-shop/blob/master/src/Pyz/Client/Oauth/OauthDependencyProvider.php
However we’re facing an issue when trying to authenticate with the generated access token in Glue, error is “Token signature mismatch”.
After further debugging, I noticed that openssl_verify returns 0 in \Lcobucci\JWT\Signer\OpenSSL::verifySignature and openssl_error_string shows some errors with padding check failed, see image.
Has anybody an idea how to debug this further? I guess something is wrong with the signature or the token being signed incorrectly.
Thanks for your help!

Comments

  • UK7KBE2JW
    UK7KBE2JW Posts: 463 🧑🏻‍🚀 - Cadet
    Options

    you can try to set the key permissions correct and run setup:init-db

  • daniel183
    daniel183 Spryker Solution Partner Posts: 13 🧑🏻‍🚀 - Cadet
    Options

    Hi Julian,
    thanks I checked key permissions, looks alright.
    Also run the init-db command, no success.

  • UK7KBE2JW
    UK7KBE2JW Posts: 463 🧑🏻‍🚀 - Cadet
    Options

    Ok, then I have no clue, sorry.

  • daniel183
    daniel183 Spryker Solution Partner Posts: 13 🧑🏻‍🚀 - Cadet
    Options

    No worries, thanks for the help mate!

  • U01DH3E31C1
    U01DH3E31C1 Posts: 23 🧑🏻‍🚀 - Cadet
    edited December 2022
    Options

    We had the same, it is a mismatch of the certificate when signing.

  • U01DH3E31C1
    U01DH3E31C1 Posts: 23 🧑🏻‍🚀 - Cadet
    Options

    Look for $config[OauthConstants::PUBLIC_KEY_PATH] and make sure it matches $config[OauthCryptographyConstants::PUBLIC_KEY_PATH] HTH

  • daniel183
    daniel183 Spryker Solution Partner Posts: 13 🧑🏻‍🚀 - Cadet
    Options

    Hi Jens,
    thanks I’ve checked both variables and they get set with the same key coming from SPRYKER_OAUTH_KEY_PUBLIC.
    I’ve also verified the private key is set correctly and also had successful verification when using https://jwt.io/.
    It would be highly appreciated if anybody has further infos on what might cause this issue.
    Thanks a lot!

  • U02SRQ4HXH8
    U02SRQ4HXH8 Posts: 2 🧑🏻‍🚀 - Cadet
    Options

    Regarding the constants mentioned by Jens: Have you verified that \Lcobucci\JWT\Signer\OpenSSL::createSignature uses the key matching the one used in ::verifySignature? We had two keys that at first glance looked identical, but weren't.

  • daniel183
    daniel183 Spryker Solution Partner Posts: 13 🧑🏻‍🚀 - Cadet
    Options

    Hi Anne,
    as you said the wrong public key at config/Zed/dev_only_public.key has been used at verifySignature(). We missed one config update when upgrading from 202009 to 202204, which was the removal of common/config_oauth-development.php :
    https://github.com/spryker-shop/b2c-demo-shop/commit/bb2a019c12db3f9726f7a8e5dd627d14b0aeb55d#diff-4b253e7b9aa1c12fd408[…]08d4719b0885a4833d674e1L70
    Now everything works as expected, the keys from env var SPRYKER_OAUTH_KEY_PUBLIC and SPRYKER_OAUTH_KEY_PRIVATE are now used for creating and verifying the signature.
    Thanks for the help!
    Cheers,
    Daniel