Invalid JWT Signature on OAuth OIDC Provider

EduAr
Tera Contributor

‎12-12-2023 12:11 PM

Hey there,

I'm attempting to retrieve data from my ServiceNow instance using a token generated by a custom identity provider. I've configured an OAuth OIDC Provider in my application, but I'm encountering this error when I make a request:

OIDC token verification failed: com.snc.platform.security.oauth.OAuthRequestProblemException: Invalid JWT Signature: com.snc.platform.security.oauth.jwt.AbstractJWTVerifier.verify(AbstractJWTVerifier.java:321)
com.snc.platform.security.oauth.oidc.OIDCJWTVerifier.verify(OIDCJWTVerifier.java:94)
com.snc.platform.security.oauth.oidc.OIDCProvider.verifyJWTToken(OIDCProvider.java:263)
com.snc.platform.security.oauth.OpenIDConnectIDTokenUserLoader.load(OpenIDConnectIDTokenUserLoader.java:48)
com.snc.platform.security.oauth.OAuthTokenHandler.load(OAuthTokenHandler.java:60)
com.glide.sys.User.loadByOAuthOauthToken(User.java:679)
com.glide.sys.User.authenticateUsingOAuthToken(User.java:586)
com.glide.sys.User.authenticateOAuthAccessToken(User.java:562)
com.glide.sys.User.authenticateOAuthAccessToken(User.java:550)
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.base/java.lang.reflect.Method.invoke(Method.java:566)
org.mozilla.javascript.MemberBox.invoke(MemberBox.java:138)
org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:300)
org.mozilla.javascript.ScriptRuntime.doCall(ScriptRuntime.java:2652)
org.mozilla.javascript.Interpreter.interpretLoop(Interpreter.java:1518)
org.mozilla.javascript.Interpreter.interpret(Interpreter.java:830)
org.mozilla.javascript.InterpretedFunction.lambda$call$0(InterpretedFunction.java:160)
com.glide.caller.gen.sys_script_include_65af6200d7022100f20bc8170e6103aa_script.call(Unknown Source)
com.glide.script.ScriptCaller.call(ScriptCaller.java:22)
org.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:159)
org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:597)
org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3573)
org.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:157)
org.mozilla.javascript.ScriptRuntime.doCall2(ScriptRuntime.java:2734)
org.mozilla.javascript.ScriptRuntime.doCall(ScriptRuntime.java:2657)
org.mozilla.javascript.ScriptableObject.callMethod(ScriptableObject.java:2437)
org.mozilla.javascript.ScriptableObject.callMethod(ScriptableObject.java:2409)
com.glide.script.RhinoObject.callFunction(RhinoObject.java:169)
com.glide.script.GlideRhinoObject.callFunction(GlideRhinoObject.java:156)
com.glide.script.RhinoObject.callFunction_String(RhinoObject.java:202)
com.glide.script.RhinoObject.callFunction_String(RhinoObject.java:199)
com.glide.sys.authenticate.HTTPAuthenticate.invokeScript(HTTPAuthenticate.java:224)
com.glide.sys.authenticate.HTTPAuthenticate.scriptedAuthorization(HTTPAuthenticate.java:192)
com.glide.sys.authenticate.HTTPAuthenticate.authenticate(HTTPAuthenticate.java:79)
com.glide.sys.authenticate.AuthProxy.authenticate(AuthProxy.java:36)
com.glide.sys.security.HTTPAuthorization.isAuthorized(HTTPAuthorization.java:122)
com.glide.processors.HttpAuthProfileAuthorization.isAuthProfileAuthorized(HttpAuthProfileAuthorization.java:36)
com.glide.rest.processors.RESTAPIHttpAuthorization.isAuthorized(RESTAPIHttpAuthorization.java:22)
com.glide.processors.HTTPAuthProcessor.authenticateHttpRequest(HTTPAuthProcessor.java:298)
com.glide.processors.HTTPAuthProcessor.isAuthorized(HTTPAuthProcessor.java:125)
com.glide.rest.processors.RESTAPIProcessor.isAuthorized(RESTAPIProcessor.java:288)
com.glide.processors.AProcessor.isProcessorAuthorized(AProcessor.java:845)
com.glide.processors.AProcessor.shouldContinue(AProcessor.java:531)
com.glide.processors.Processor.shouldContinue(Processor.java:100)
com.glide.processors.AProcessor.processTransaction(AProcessor.java:176)
com.glide.processors.ProcessorRegistry.process0(ProcessorRegistry.java:187)
com.glide.processors.ProcessorRegistry.process(ProcessorRegistry.java:175)
com.glide.ui.GlideServletTransaction.process(GlideServletTransaction.java:58)
com.glide.sys.Transaction.run(Transaction.java:2645)
com.glide.ui.HTTPTransaction.run(HTTPTransaction.java:30)
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
java.base/java.lang.Thread.run(Thread.java:829)

 

0 Helpfuls
  • 1,383 Views
10 REPLIES 10

AshishKM
Kilo Patron
Kilo Patron
In response to EduAr

‎12-14-2023 12:00 PM

You can try other way and open a question (case ) with servicenow support.

 


Please mark this response as correct and helpful if it helps you can mark more that one reply as accepted solution

sorx14
Giga Contributor
In response to EduAr

‎07-10-2024 08:31 AM

Did you manage to get a resolution to this issue?

I'm seeing something similar

0 Helpfuls

sorx14
Giga Contributor
In response to sorx14

‎07-12-2024 04:34 AM

In case this help someone in the future...

Our Idp was misconfigured and was returning HS256 ID tokens instead of RS256. SNow will not accept HS256: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0859843

0 Helpfuls

Steve179
Tera Contributor
In response to sorx14

‎12-04-2024 05:24 PM

I'm also seeing something similar here using Azure AD as the OAuth OIDC Provider. Has anyone solved this using Azure AD as the OAuth OIDC Provider? 

0 Helpfuls

obrochard
Tera Contributor

‎12-11-2024 08:54 AM

Hi, 

Same trouble

oidc_provider_configuration

OIDC Provider=Azure AD
OIDC Metadata URL=https://login.microsoftonline.com/<tenant azure ad>/v2.0/.well-known/openid-configuration
User Claim=sub
User Field=Employee Number
 
oauth_oidc_entity
Name=Azure AD
Client ID={sub value}
Client Secret =***
OAuth OIDC Provider Configuration=Azure AD (cf. bellow)
 
*** Script: token_azure=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6InhFendWRlFQa2g4MmVvNG9NTUpBeEJxdzZ4NCJ9.eyJhdWQiOiI5YjI1ZTc0MS01Y2I5LTQzMGUtYjNlZS03YjU0ZDQ0OTJlMzYiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vZDhmN2QwMGEtNDMyOC00NjM0LTlkZTEtMDY1ZDg5NTYxZGU2L3YyLjAiLCJpYXQiOjE3MzM5MzU1MTAsIm5iZiI6MTczMzkzNT
 
*** Script: Azure (include) Snow request error ; reponse http_status=401 ; http_error=Method failed: (/api/now/table/cmdb_ci_server) with code: 401 - Invalid username/password combo ; http_body{"error":{"message":"User Not Authenticated","detail":"Required to provide Auth information"},"status":"failure"}: no thrown error
 
OIDC token verification failed: com.snc.platform.security.oauth.OAuthRequestProblemException: Invalid JWT Signature: com.snc.platform.security.oauth.jwt.AbstractJWTVerifier.verify(AbstractJWTVerifier.java:321)
com.snc.platform.security.oauth.oidc.OIDCJWTVerifier.verify(OIDCJWTVerifier.java:94)
com.snc.platform.security.oauth.oidc.OIDCProvider.verifyJWTToken(OIDCProvider.java:263)
com.snc.platform.security.oauth.OpenIDConnectIDTokenUserLoader.load(OpenIDConnectIDTokenUserLoader.java:48)
com.snc.platform.security.oauth.OAuthTokenHandler.load(OAuthTokenHandler.java:65)
com.glide.sys.User.loadByOAuthOauthToken(User.java:686)
com.glide.sys.User.authenticateUsingOAuthToken(User.java:593)
com.glide.sys.User.authenticateOAuthAccessToken(User.java:569)
com.glide.sys.User.authenticateOAuthAccessToken(User.java:557)
java.
 
Help !!!!!
0 Helpfuls