Invalid JWT Signature on OAuth OIDC Provider

EduAr
Tera Contributor

Hey there,

I'm attempting to retrieve data from my ServiceNow instance using a token generated by a custom identity provider. I've configured an OAuth OIDC Provider in my application, but I'm encountering this error when I make a request:

OIDC token verification failed: com.snc.platform.security.oauth.OAuthRequestProblemException: Invalid JWT Signature: com.snc.platform.security.oauth.jwt.AbstractJWTVerifier.verify(AbstractJWTVerifier.java:321)
com.snc.platform.security.oauth.oidc.OIDCJWTVerifier.verify(OIDCJWTVerifier.java:94)
com.snc.platform.security.oauth.oidc.OIDCProvider.verifyJWTToken(OIDCProvider.java:263)
com.snc.platform.security.oauth.OpenIDConnectIDTokenUserLoader.load(OpenIDConnectIDTokenUserLoader.java:48)
com.snc.platform.security.oauth.OAuthTokenHandler.load(OAuthTokenHandler.java:60)
com.glide.sys.User.loadByOAuthOauthToken(User.java:679)
com.glide.sys.User.authenticateUsingOAuthToken(User.java:586)
com.glide.sys.User.authenticateOAuthAccessToken(User.java:562)
com.glide.sys.User.authenticateOAuthAccessToken(User.java:550)
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.base/java.lang.reflect.Method.invoke(Method.java:566)
org.mozilla.javascript.MemberBox.invoke(MemberBox.java:138)
org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:300)
org.mozilla.javascript.ScriptRuntime.doCall(ScriptRuntime.java:2652)
org.mozilla.javascript.Interpreter.interpretLoop(Interpreter.java:1518)
org.mozilla.javascript.Interpreter.interpret(Interpreter.java:830)
org.mozilla.javascript.InterpretedFunction.lambda$call$0(InterpretedFunction.java:160)
com.glide.caller.gen.sys_script_include_65af6200d7022100f20bc8170e6103aa_script.call(Unknown Source)
com.glide.script.ScriptCaller.call(ScriptCaller.java:22)
org.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:159)
org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:597)
org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3573)
org.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:157)
org.mozilla.javascript.ScriptRuntime.doCall2(ScriptRuntime.java:2734)
org.mozilla.javascript.ScriptRuntime.doCall(ScriptRuntime.java:2657)
org.mozilla.javascript.ScriptableObject.callMethod(ScriptableObject.java:2437)
org.mozilla.javascript.ScriptableObject.callMethod(ScriptableObject.java:2409)
com.glide.script.RhinoObject.callFunction(RhinoObject.java:169)
com.glide.script.GlideRhinoObject.callFunction(GlideRhinoObject.java:156)
com.glide.script.RhinoObject.callFunction_String(RhinoObject.java:202)
com.glide.script.RhinoObject.callFunction_String(RhinoObject.java:199)
com.glide.sys.authenticate.HTTPAuthenticate.invokeScript(HTTPAuthenticate.java:224)
com.glide.sys.authenticate.HTTPAuthenticate.scriptedAuthorization(HTTPAuthenticate.java:192)
com.glide.sys.authenticate.HTTPAuthenticate.authenticate(HTTPAuthenticate.java:79)
com.glide.sys.authenticate.AuthProxy.authenticate(AuthProxy.java:36)
com.glide.sys.security.HTTPAuthorization.isAuthorized(HTTPAuthorization.java:122)
com.glide.processors.HttpAuthProfileAuthorization.isAuthProfileAuthorized(HttpAuthProfileAuthorization.java:36)
com.glide.rest.processors.RESTAPIHttpAuthorization.isAuthorized(RESTAPIHttpAuthorization.java:22)
com.glide.processors.HTTPAuthProcessor.authenticateHttpRequest(HTTPAuthProcessor.java:298)
com.glide.processors.HTTPAuthProcessor.isAuthorized(HTTPAuthProcessor.java:125)
com.glide.rest.processors.RESTAPIProcessor.isAuthorized(RESTAPIProcessor.java:288)
com.glide.processors.AProcessor.isProcessorAuthorized(AProcessor.java:845)
com.glide.processors.AProcessor.shouldContinue(AProcessor.java:531)
com.glide.processors.Processor.shouldContinue(Processor.java:100)
com.glide.processors.AProcessor.processTransaction(AProcessor.java:176)
com.glide.processors.ProcessorRegistry.process0(ProcessorRegistry.java:187)
com.glide.processors.ProcessorRegistry.process(ProcessorRegistry.java:175)
com.glide.ui.GlideServletTransaction.process(GlideServletTransaction.java:58)
com.glide.sys.Transaction.run(Transaction.java:2645)
com.glide.ui.HTTPTransaction.run(HTTPTransaction.java:30)
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
java.base/java.lang.Thread.run(Thread.java:829)

 

10 REPLIES 10

AshishKM
Kilo Patron
Kilo Patron

Hi @EduAr 

Please re-check the client secret value via unlocking the field, it should be correct one.

AshishKMishra_1-1702423440611.png

-Thanks,

AshishKMishra


Please mark this response as correct and helpful if it helps you can mark more that one reply as accepted solution

EduAr
Tera Contributor

Hi @AshishKM 

Thanks for your reply. I've already double-checked, and the Client Secret is accurate. Do you have any idea what else might be causing that error?

 

Thanks

as you mention its customer proved , please check with provider team if both ( client ID and secret ) are correct / or if there any change at their side.


Please mark this response as correct and helpful if it helps you can mark more that one reply as accepted solution

EduAr
Tera Contributor

Hi @AshishKM,

Yes, both values are correct (I'm the one setting those values in both places). I believe the issue might originate elsewhere. Do you happen to know if ServiceNow by default uses the .well-known/openid-configuration/jwks endpoint to retrieve the key for decrypting the JWT Token and validating the signature? Or do I need to define it somewhere or through a custom script?

After reviewing the logs of the identity provider server, I suspect this might be the cause of the issue.

Thanks,