Solutions
Archived

Authentication fails in OpenAM 13.0 with an AuthId JWT Signature not valid error

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you cannot authenticate to OpenAM 13.0 and you receive an "AuthId JWT Signature not valid" error. This issue can occur when you have a multi-instance deployment or you have a single-instance deployment but have disabled caching.


1 reader recommends this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

The following error is shown in the browser when you attempt to authenticate:

AuthId JWT Signature not valid

The following response is received when authenticating using the REST API:

{"code":400,"reason":"Bad Request","AuthId JWT Signature not valid"}

The following error is shown in the Authentication debug log file:

amAuthREST:02/02/2016 09:21:02:559 AM CET: Thread[http-bio-192.162.94.74-8080-exec-1,5,main]: TransactionId[64a9e309-2739-4c68-994e-894b04cfa9f2-4875] AuthenticationService.authenticate() :: Rest Authentication Exception org.forgerock.openam.core.rest.authn.exceptions.RestAuthException: AuthId JWT Signature not valid at org.forgerock.openam.core.rest.authn.AuthIdHelper.verifyAuthId(AuthIdHelper.java:194) at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:152) at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.continueAuthentication(RestAuthenticationHandler.java:114) at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:136) ...

This will appear to be an intermittent issue and you will find that sometimes your authentication attempt succeeds.

Recent Changes

Upgraded to, or installed OpenAM 13.0 in a multi-instance deployment.

Added an instance to your single-instance deployment.

Disabled caching on your single-instance deployment by setting the following caching properties to false:

com.iplanet.am.sdk.caching.enabled=false com.sun.identity.idm.cache.enabled=false com.sun.identity.sm.cache.enabled=false

Causes

The authentication token (authID) is signed by a shared secret in OpenAM 13, which is a random key that OpenAM generates upon startup; these keys are different for each instance in a multi-instance deployment and change each time you restart OpenAM: 

  • If the server where authentication takes place (AM2) is different to the server where the authentication token was generated (AM1), the server (AM2) will not be able to validate the authentication token and will generate the "AuthId JWT Signature not valid" error.
  • If authentication takes place on the server that generated the authentication token, it will succeed, which is why it appears to be an intermittent issue.

Similarly, the shared secret value will be regenerated each time the service configuration is accessed if you have disabled caching.

Solution

This issue can be resolved by upgrading to OpenAM 13.5 or later; you can download this from BackStage.

Alternatively, this issue can be resolved by replacing the shared secret with a static value.

  1. Generate a random string that is at least 128 bit and base64 encoded. For example, you could use the OpenDJ base64 tool to do this. 
  2. Update the shared secret on one OpenAM instance using either the OpenAM console or ssoadm:
    • OpenAM console: navigate to: Realms > Top Level Realm / > Authentication > Settings > Security > Organization Authentication Signing Secret and paste in the string you generated in step 1.
    • ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -u [adminID] -f [passwordfile] -s iPlanetAMAuthService -e / -a iplanet-am-auth-hmac-signing-shared-secret=[sharedSecret] replacing [adminID], [passwordfile] and [sharedSecret] with appropriate values, where [sharedSecret] is the string you generated in step 1.
  3. Restart all web application containers in which your OpenAM instances run to apply these configuration changes.
Note

It is important that the string you generate is at least 128 bit and base64 encoded, otherwise you will encounter OPENAM-8264 (insufficient validator for service property 'iplanet-am-auth-hmac-signing-shared-secret').

See Also

Best practice for upgrading to OpenAM 13.x

OpenDJ Reference › Tools Reference › base64

Related Training

N/A

Related Issue Tracker IDs

OPENAM-8264 (insufficient validator for service property 'iplanet-am-auth-hmac-signing-shared-secret')

OPENAM-8269 ("AuthId JWT Signature not valid" error in multi-instance deployments on 13)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.