failed verification of token: Failed to read access token from JWT
Issue
got this error when integrating RHPAM 7.8.0 on OCP 4.5 to RHSSO 7.3.4.GA
[31m07:48:29,318 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-24) failed verification of token: Failed to read access token from JWT
[33m07:45:45,671 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) state parameter invalid
[33m07:45:45,671 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) cookie: 6f8de9a2-f0aa-48e0-8528-385d1ac37297
[33m07:45:45,671 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) queryParam: e1ba8638-980a-4370-b260-b6af8e8bc00a
[33m07:45:49,614 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) state parameter invalid
[33m07:45:49,614 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) cookie: 0472188d-a6f4-46cc-87da-7a402e0ac2ad
[33m07:45:49,614 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) queryParam: e1ba8638-980a-4370-b260-b6af8e8bc00a
Error in the log:
[31m07:48:29,318 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-24) failed verification of token: Failed to read access token from JWT
[33m07:45:45,671 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) state parameter invalid
[33m07:45:45,671 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) cookie: 6f8de9a2-f0aa-48e0-8528-385d1ac37297
[33m07:45:45,671 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) queryParam: e1ba8638-980a-4370-b260-b6af8e8bc00a
[33m07:45:49,614 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) state parameter invalid
[33m07:45:49,614 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) cookie: 0472188d-a6f4-46cc-87da-7a402e0ac2ad
[33m07:45:49,614 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) queryParam: e1ba8638-980a-4370-b260-b6af8e8bc00a
Custom JWT tag which is mapped to a specific ldap properties on RHSSO (notice the profile JWT tag below):
{
"jti": "8abd46d7-d5bc-4f1d-ad09-a716d8cff6ed",
"exp": 1601456544,
"nbf": 0,
"iat": 1601455644,
"iss": "https://example/auth/realms/dirty",
"aud": "account",
"sub": "ea8eae9d-d444-4511-af0c-f5d3a293812c",
"typ": "Bearer",
"azp": "bpmn",
"auth_time": 0,
"session_state": "04bcbc90-f6d8-40c7-9edb-e8d671b053f2",
"acr": "1",
"allowed-origins": [
"https://rhpam.apps.nww.example.com/"
],
"realm_access": {
"roles": [
"offline_access",
"rest-all",
"admin",
"uma_authorization",
"kie-server"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid email profile",
"profile": {
"id": "3322444"
},
"preferred_username": "3322444"
}
If "profile" JWT tag is removed, suddenly the errors gone and everything works well. However it is not good because that profile JWT tag is needed by other application.
After some research and working with our team we can see that something is wrong when the "profile" scope is modified adding a "nik" claim attribute. It seems that the predefined "profile" scope (predefined according to openid core spec) shouldn't be used as it is already a predefined scope.
We suggested you to create a new scope "profile1" as an example and add the "nick" claim into it and add this new scope to your request scope list. After changing "profile.nik" to "profile1.nik" on JWT claim name, the login to RHPAM worked, so it seems a valid workaround. However your customer is using this JWT in more than a dozen different apps and 20k users (it is working in all of them but RHPAM), so it is quite a lot of cost in migrating JWT "profile.nik" scope to another different scope.
Environment
- Red Hat Process Automation Manager (RHPAM)
- 7.8.0
- OCP 4.5
- RHSSO 7.3.4.GA with a custom JWT token
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.