Client token private_key_jwt request fails when keyid is uuid_enc_rsa1_5

[yurem]

Steps to reproduce:

1. Install CE with test data load (-t)
2. Update string variables in sample class with values from /install/community-edition-setup/output/test/scim-client/client/config-scim-test.properties
3. Specify in umaAatClientKeyId keyId of uuid_enc_rsa1_5 key key from client jwks
4. Specify right host in domainURL string variable
5. Run test

Error:

...
Caused by: gluu.scim2.client.exception.ScimInitializationException: HTTP 401 Unauthorized
	at gluu.scim2.client.UmaScimClient.getAuthorizedRpt(UmaScimClient.java:153)
	at gluu.scim2.client.UmaScimClient.obtainAuthorizedRpt(UmaScimClient.java:118)
...

TestRsa1_5.java.txt

[yurem]

I've added trace debug to method where we find key in client jwks.

It log next message:

2022-04-05 17:37:38,776 TRACE [qtp1836463382-14] [org.gluu.oxauth.model.crypto.AbstractCryptoProvider] (AbstractCryptoProvider.java:183) - Failed to find key:3cd67df2-21ec-4a94-a314-c31d599fcf65_enc_rsa1_5 in jwks keys:[074545a0-dc44-41cc-9605-e0423b1b3c5e_sig_rs256, 576b736c-a9fe-4704-a418-1275b5229e4e_sig_rs384, 1129b68b-1f0c-4144-b434-91e446a19645_sig_rs512, 6d8ca27a-3e36-4909-bdfa-b0433138dfe4_sig_es256, 3e163079-b0ec-45ae-a8f5-4ce59c807234_sig_es384, ccee7abf-b84f-4ad8-9bc5-41f26cfcf6f1_sig_es512, 4a079412-25e3-41a2-a7a7-d8b162c17b06_sig_ps256, 3e14f86f-2337-42ce-8d05-32d2e81581f3_sig_ps384, a6248dc7-9bd3-4095-9d09-5b0fcbd737d3_sig_ps512, 3cd67df2-21ec-4a94-a314-c31d599fcf65_enc_rsa1_5, b8bcfca0-15ef-407a-8613-db3379af7cc4_enc_rsa-oaep]

[yuriyz]

@yurem @smansoft Sounds like fallback identification of the key algorithm was removed in commit shown on screenshot below. Do you know why it was removed? In jans I can see it present. Maybe wrong merge.

[yurem]

This method returns null. This line exists in code in master branch

[yuriyz]

@yurem my bad, my IDE was not on master. Can you post jwks ? It should help understand the problem.

[yuriyz]

@jgomer2001 @yurem is it related to #1661 or not ? It is fixed.

Please give me jks file with secret if it still has to be investigated.

[yuriyz]

It will not work, uuid_enc_rsa1_5 key is encryption key. Jwks has use: enc, so when client_assertion is constructed, it is signed but server when iterating over jwks will not verify it correctly. Any kid's from jks with *_sig_* in name will work.

JWKS

Success with *_sig_rs512

[yuriyz]

Closing this ticket, scim has to use key which is marked as sig in jwks (not first in the list, if jks is generated by us, it can take any key with *_sig_* in name).