failed verification of token: Failed to read access token from JWT

Solution In Progress - Updated -

Issue

got this error when integrating RHPAM 7.8.0 on OCP 4.5 to RHSSO 7.3.4.GA

[31m07:48:29,318 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-24) failed verification of token: Failed to read access token from JWT
[33m07:45:45,671 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) state parameter invalid
[33m07:45:45,671 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) cookie: 6f8de9a2-f0aa-48e0-8528-385d1ac37297
[33m07:45:45,671 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) queryParam: e1ba8638-980a-4370-b260-b6af8e8bc00a
[33m07:45:49,614 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) state parameter invalid
[33m07:45:49,614 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) cookie: 0472188d-a6f4-46cc-87da-7a402e0ac2ad
[33m07:45:49,614 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) queryParam: e1ba8638-980a-4370-b260-b6af8e8bc00a

Error in the log:

[31m07:48:29,318 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-24) failed verification of token: Failed to read access token from JWT
[33m07:45:45,671 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) state parameter invalid
[33m07:45:45,671 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) cookie: 6f8de9a2-f0aa-48e0-8528-385d1ac37297
[33m07:45:45,671 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) queryParam: e1ba8638-980a-4370-b260-b6af8e8bc00a
[33m07:45:49,614 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) state parameter invalid
[33m07:45:49,614 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) cookie: 0472188d-a6f4-46cc-87da-7a402e0ac2ad
[33m07:45:49,614 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) queryParam: e1ba8638-980a-4370-b260-b6af8e8bc00a

Custom JWT tag which is mapped to a specific ldap properties on RHSSO (notice the profile JWT tag below):

{
  "jti": "8abd46d7-d5bc-4f1d-ad09-a716d8cff6ed",
  "exp": 1601456544,
  "nbf": 0,
  "iat": 1601455644,
  "iss": "https://example/auth/realms/dirty",
  "aud": "account",
  "sub": "ea8eae9d-d444-4511-af0c-f5d3a293812c",
  "typ": "Bearer",
  "azp": "bpmn",
  "auth_time": 0,
  "session_state": "04bcbc90-f6d8-40c7-9edb-e8d671b053f2",
  "acr": "1",
  "allowed-origins": [
    "https://rhpam.apps.nww.example.com/"
  ],
  "realm_access": {
    "roles": [
      "offline_access",
      "rest-all",
      "admin",
      "uma_authorization",
      "kie-server"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid email profile",
  "profile": {
    "id": "3322444"
  },
  "preferred_username": "3322444"
}

If "profile" JWT tag is removed, suddenly the errors gone and everything works well. However it is not good because that profile JWT tag is needed by other application.


After some research and working with our team we can see that something is wrong when the "profile" scope is modified adding a "nik" claim attribute. It seems that the predefined "profile" scope (predefined according to openid core spec) shouldn't be used as it is already a predefined scope.

We suggested you to create a new scope "profile1" as an example and add the "nick" claim into it and add this new scope to your request scope list. After changing "profile.nik" to "profile1.nik" on JWT claim name, the login to RHPAM worked, so it seems a valid workaround. However your customer is using this JWT in more than a dozen different apps and 20k users (it is working in all of them but RHPAM), so it is quite a lot of cost in migrating JWT "profile.nik" scope to another different scope.

Environment

  • Red Hat Process Automation Manager (RHPAM)
    • 7.8.0
  • OCP 4.5
  • RHSSO 7.3.4.GA with a custom JWT token

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content