JARM FAPI Test Failed: fapi1-advanced-final-ensure-request-object-signature-algorithm-is-not-none #310
Description
fapi1-advanced-final-ensure-request-object-signature-algorithm-is-not-none: https://www.certification.openid.net/log-detail.html?log=CTASTrHrHeRsAvk&public=true
Expected Result:
This test should end with the authorization server showing an error message that the request object is invalid (a screenshot of which should be uploaded) or with the user being redirected back to the conformance suite with a correct error response.
Actual Result:
This test also fails with ExtractJARMFromURLQuery: Couldn't find response in callback_query_params. When I see the logs it says nbf is null as:
2021-11-24 09:55:56,323 ERROR [qtp6519275-52] [jans.as.server.model.authorize.JwtAuthorizationRequest] (JwtAuthorizationRequest.java:542) - nbf claim is not set, nbf: null
2021-11-24 09:55:56,323 DEBUG [qtp6519275-52] [as.server.authorize.ws.rs.AuthorizeRestWebServiceImpl] (AuthorizeRestWebServiceImpl.java:821) - Invalid JWT authorization request. nbf claim is not set
2021-11-24 09:55:56,323 DEBUG [qtp6519275-52] [io.jans.as.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:76) - Looking for the error with id: invalid_request
2021-11-24 09:55:56,324 DEBUG [qtp6519275-52] [io.jans.as.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:81) - Found error, id: invalid_request
2021-11-24 09:55:56,324 ERROR [qtp6519275-52] [as.server.authorize.ws.rs.AuthorizeRestWebServiceImpl] (AuthorizeRestWebServiceImpl.java:777) - HTTP 302 Found
javax.ws.rs.WebApplicationException: HTTP 302 Found
at io.jans.as.server.authorize.ws.rs.AuthorizeRestWebServiceImpl.validateJwtRequest(AuthorizeRestWebServiceImpl.java:824) ~[classes/:?]
at io.jans.as.server.authorize.ws.rs.AuthorizeRestWebServiceImpl.requestAuthorization(AuthorizeRestWebServiceImpl.java:462) ~[classes/:?]
at io.jans.as.server.authorize.ws.rs.AuthorizeRestWebServiceImpl.requestAuthorizationGet(AuthorizeRestWebServiceImpl.java:187) ~[classes/:?]
at io.jans.as.server.authorize.ws.rs.AuthorizeRestWebServiceImpl$Proxy$_$$_WeldClientProxy.requestAuthorizationGet(Unknown Source) ~[classes/:?]
jans-auth.log for the reference :
jans-auth.log
Debugging Hints
There has to be something wrong here during computing jwe (jweDecrypter.decrypt(encodedJwt)) in these lines https://github.com/JanssenProject/jans-auth-server/blob/master/server/src/main/java/io/jans/as/server/model/authorize/JwtAuthorizationRequest.java#L141-L160
nbf and other fields are NULL in loadPayload method of JwtAuthorizationRequest. (please see the debugging screenshot debug point was on line https://github.com/JanssenProject/jans-auth-server/blob/master/server/src/main/java/io/jans/as/server/model/authorize/JwtAuthorizationRequest.java#L307),
whereas nbf is not null in request jwt (please see screenshot of request from jwt.io)
