Invalid JWT Signature on OAuth OIDC Provider

EduAr · ‎12-12-2023

Hey there,

I'm attempting to retrieve data from my ServiceNow instance using a token generated by a custom identity provider. I've configured an OAuth OIDC Provider in my application, but I'm encountering this error when I make a request:

OIDC token verification failed: com.snc.platform.security.oauth.OAuthRequestProblemException: Invalid JWT Signature: com.snc.platform.security.oauth.jwt.AbstractJWTVerifier.verify(AbstractJWTVerifier.java:321)
com.snc.platform.security.oauth.oidc.OIDCJWTVerifier.verify(OIDCJWTVerifier.java:94)
com.snc.platform.security.oauth.oidc.OIDCProvider.verifyJWTToken(OIDCProvider.java:263)
com.snc.platform.security.oauth.OpenIDConnectIDTokenUserLoader.load(OpenIDConnectIDTokenUserLoader.java:48)
com.snc.platform.security.oauth.OAuthTokenHandler.load(OAuthTokenHandler.java:60)
com.glide.sys.User.loadByOAuthOauthToken(User.java:679)
com.glide.sys.User.authenticateUsingOAuthToken(User.java:586)
com.glide.sys.User.authenticateOAuthAccessToken(User.java:562)
com.glide.sys.User.authenticateOAuthAccessToken(User.java:550)
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.base/java.lang.reflect.Method.invoke(Method.java:566)
org.mozilla.javascript.MemberBox.invoke(MemberBox.java:138)
org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:300)
org.mozilla.javascript.ScriptRuntime.doCall(ScriptRuntime.java:2652)
org.mozilla.javascript.Interpreter.interpretLoop(Interpreter.java:1518)
org.mozilla.javascript.Interpreter.interpret(Interpreter.java:830)
org.mozilla.javascript.InterpretedFunction.lambda$call$0(InterpretedFunction.java:160)
com.glide.caller.gen.sys_script_include_65af6200d7022100f20bc8170e6103aa_script.call(Unknown Source)
com.glide.script.ScriptCaller.call(ScriptCaller.java:22)
org.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:159)
org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:597)
org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3573)
org.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:157)
org.mozilla.javascript.ScriptRuntime.doCall2(ScriptRuntime.java:2734)
org.mozilla.javascript.ScriptRuntime.doCall(ScriptRuntime.java:2657)
org.mozilla.javascript.ScriptableObject.callMethod(ScriptableObject.java:2437)
org.mozilla.javascript.ScriptableObject.callMethod(ScriptableObject.java:2409)
com.glide.script.RhinoObject.callFunction(RhinoObject.java:169)
com.glide.script.GlideRhinoObject.callFunction(GlideRhinoObject.java:156)
com.glide.script.RhinoObject.callFunction_String(RhinoObject.java:202)
com.glide.script.RhinoObject.callFunction_String(RhinoObject.java:199)
com.glide.sys.authenticate.HTTPAuthenticate.invokeScript(HTTPAuthenticate.java:224)
com.glide.sys.authenticate.HTTPAuthenticate.scriptedAuthorization(HTTPAuthenticate.java:192)
com.glide.sys.authenticate.HTTPAuthenticate.authenticate(HTTPAuthenticate.java:79)
com.glide.sys.authenticate.AuthProxy.authenticate(AuthProxy.java:36)
com.glide.sys.security.HTTPAuthorization.isAuthorized(HTTPAuthorization.java:122)
com.glide.processors.HttpAuthProfileAuthorization.isAuthProfileAuthorized(HttpAuthProfileAuthorization.java:36)
com.glide.rest.processors.RESTAPIHttpAuthorization.isAuthorized(RESTAPIHttpAuthorization.java:22)
com.glide.processors.HTTPAuthProcessor.authenticateHttpRequest(HTTPAuthProcessor.java:298)
com.glide.processors.HTTPAuthProcessor.isAuthorized(HTTPAuthProcessor.java:125)
com.glide.rest.processors.RESTAPIProcessor.isAuthorized(RESTAPIProcessor.java:288)
com.glide.processors.AProcessor.isProcessorAuthorized(AProcessor.java:845)
com.glide.processors.AProcessor.shouldContinue(AProcessor.java:531)
com.glide.processors.Processor.shouldContinue(Processor.java:100)
com.glide.processors.AProcessor.processTransaction(AProcessor.java:176)
com.glide.processors.ProcessorRegistry.process0(ProcessorRegistry.java:187)
com.glide.processors.ProcessorRegistry.process(ProcessorRegistry.java:175)
com.glide.ui.GlideServletTransaction.process(GlideServletTransaction.java:58)
com.glide.sys.Transaction.run(Transaction.java:2645)
com.glide.ui.HTTPTransaction.run(HTTPTransaction.java:30)
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
java.base/java.lang.Thread.run(Thread.java:829)

AshishKM · ‎12-12-2023

Hi @EduAr

Please re-check the client secret value via unlocking the field, it should be correct one.

-Thanks,

AshishKMishra

Please mark this response as correct and helpful if it helps you can mark more that one reply as accepted solution

EduAr · ‎12-13-2023

Hi @AshishKM

Thanks for your reply. I've already double-checked, and the Client Secret is accurate. Do you have any idea what else might be causing that error?

Thanks

AshishKM · ‎12-13-2023

as you mention its customer proved , please check with provider team if both ( client ID and secret ) are correct / or if there any change at their side.

Please mark this response as correct and helpful if it helps you can mark more that one reply as accepted solution

EduAr · ‎12-14-2023

Hi @AshishKM,

Yes, both values are correct (I'm the one setting those values in both places). I believe the issue might originate elsewhere. Do you happen to know if ServiceNow by default uses the .well-known/openid-configuration/jwks endpoint to retrieve the key for decrypting the JWT Token and validating the signature? Or do I need to define it somewhere or through a custom script?

After reviewing the logs of the identity provider server, I suspect this might be the cause of the issue.

Thanks,