Error in JWT token validation when using SAPOfflineTokenServices on Cloud Foundry

Question

We use the S4HANA Cloud SDK and have a service deployed to the SAP Cloud Platform, Cloud Foundry environment.

The service is bound to the Cloud Foundry UAA. Authentication is performed using the @sap/approuter, which then forwards the JWT token in the Authorization Header.

It works fine most of the time, but it appears that after a random period the token validation is failing:

2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT java.lang.IllegalStateException: Cannot set token verification key
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at com.sap.xs2.security.commons.SAPOfflineTokenServices.loadAuthentication(SAPOfflineTokenServices.java:110) ~[security-commons-0.22.2.jar!/:na]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at com.sap.xs2.security.commons.SAPOfflineTokenServicesCloud.loadAuthentication(SAPOfflineTokenServicesCloud.java:29) ~[security-commons-0.22.2.jar!/:na]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationManager.authenticate(OAuth2AuthenticationManager.java:83) ~[spring-security-oauth2-2.0.14.RELEASE.jar!/:na]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter.doFilter(OAuth2AuthenticationProcessingFilter.java:150) ~[spring-security-oauth2-2.0.14.RELEASE.jar!/:na]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.7.RELEASE.jar!/:5.0.7.RELEASE]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) ~[spring-security-web-5.0.7.RELEASE.jar!/:5.0.7.RELEASE]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.7.RELEASE.jar!/:5.0.7.RELEASE]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.7.RELEASE.jar!/:5.0.7.RELEASE]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) ~[spring-security-web-5.0.7.RELEASE.jar!/:5.0.7.RELEASE]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.7.RELEASE.jar!/:5.0.7.RELEASE]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101) ~[spring-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.7.RELEASE.jar!/:5.0.7.RELEASE]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) ~[spring-security-web-5.0.7.RELEASE.jar!/:5.0.7.RELEASE]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) ~[spring-security-web-5.0.7.RELEASE.jar!/:5.0.7.RELEASE]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) ~[spring-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) ~[spring-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.32.jar!/:8.5.32]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.32.jar!/:8.5.32]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:728) [tomcat-embed-core-8.5.32.jar!/:8.5.32]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:472) [tomcat-embed-core-8.5.32.jar!/:8.5.32]
2018-08-20T11:40:18.96+0300 [APP/PROC/WEB/0] OUT     at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:395) [tomcat-embed-core-8.5.32.jar!/:8.5.32]

As is visible in the callstack, we are using com.sap.xs2.security 0.22.2 and com.sap.security.nw.sso.linuxx86_64.opt 1.0.0 for the token validation.

Any idea what might be causing this issue?

Answer 1

This seems like an issue in the underlying JWT validation library when it tries to load the public key. Can you try to update com.sap.xs2.security:security-commons to the latest available version? The SDK references version 0.28.6 in version 2.3.1 of its bill-of-materials POM.