Skip to content

Support encrypted access tokens (JWE) via OIDC authentication provider #10199

New issue
New issue
Open
Feature
#10760
Open
Support encrypted access tokens (JWE) via OIDC authentication provider#10199
Feature
#10760
Assignees
Verdent
Labels
3.xIssues for 3.x version branchP3enhancementNew feature or requestsecurity
@tirunagaris

Description

@tirunagaris
tirunagaris
opened on Jun 4, 2025
  • Helidon Version:3.2.x
  • Helidon MP
  • JDK version: JDK 17
  • OS: Windows 10 Enterprise 22H2
  • Docker version (if applicable): NA

Enhancement Description

We have application based on Helidon MP (v 3.2.x) configured with OIDC security provider and customer is using NetIQ identity provider for achieving Single Sign On (SSO). Observed that the application fails to login with invalid token error if the tokens are encrypted by the Identity Provider (in this case NetIQ).

We have also observed that when the tokens are encrypted, it contains 5 segments instead of 3 segments. Customer is encrypting the token (JWE) rather than signing the token (JWS).

For more information on encryption in NetIQ, please refer Encrypting Access Token from NetIQ.

Below is the exception stack trace from the logs (in customer environment):

io.helidon.security.providers.oidc.TenantAuthenticationHandler Thread[nioEventLoopGroup-3-3,10,main]: Could not parse inbound token
io.helidon.security.jwt.JwtException: Not a JWT token: eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwidHlwIjoiSldUIiwiY3R5IjoiSldUIiwiemlwIjoiREVGIiwia2lkIjoiMCJ9.--uRk7A7ZCpI1EVucWFuZXBg7vYXdjNr.UgMm9J6mNCcLX6xu.Sbll8-ZyD1Zt2D9eeai2Z40yCt07vylBSdMv0Ni_OWAEvVqhrfzWzdZpC9g1bWkzBfovS3nubfe8mlaIZnNMFdj_tcGit6piJHGI72HP4wg0uIR9KLidtfcCQWrnPjKXXJT9U26NNbojA8dYWX48jIDimkhj4S6iAcv6E1cVnQ1Bz82r4bO0UkF9QKrdMTA1iR2jVbMqzeKA7hXtHT5KhCZKeOdUiVvuxOVTd6lf13VG8ZX-MIrIgOq3tsNmEu3JAyYNHUMCHaUnzRpVmU5CI-VIjGEoW_0aW7hqmUNx4XPLbOEZpj-WB0zdKW87KIdLZtrpVARk9681JdaprnCgBBnf2xoFntby9WUlOOcwCAfO-E4Mh8Rj8Kt7Dge9oa8KP64h0SvSF_1slVYDdyYQRmj78vulcbuaQYAFqMaq__UuTjh5I1R8rCdUIHzcb6f6Rt6iZ25IAufnpjrC1FpqLLY7pd6rTmPG84Ln4W2mShaJ2Sq0kMIt9gY0YiTNNZl885xLoe8ldvQle39gU4p7yR0OiyJPmhIjiF37sdJXzz36L6G75spXpVDRqQJkMK3UVEEMnlOCZ-vAtfD3uMioqGNAI3QHYRsLaZMLDDyJGkAOhzzG4ZKNQXDmbLtxhTog1NlNDUPsMX_LZ96nJRnMMxurt1w6IaaaUpuSKjNncYw5hINjHgs4er_YyHbMNoHAiT73NqHrDaAMWk75-7KYry2bvACOvz04InoaTKjRjuQRscKwbo67UB4XGlwbbgVHuOZvSD36SVOLSsLleWyWKSvN2zVD-tiEWSuM54kW-PneL_4Gx3WZIVcIJOqeRTqvq7L6lcVHMSjor546xbrOZAdPR11phB38CYXTNm1dYOQdpJUSAmY8O2_WoCimiPhigBZFbk8B_XWUXwX-iG8fgTN68hZbzIcK1joegI-XrzLprGoJYHdDLzm3QVaDrW6IXGN96f6feFuRZPkklZFcRqmg_INs-c9Gop4YwkL6r-fVkoDPR-u56eX8GGocMvCShtLxK90TCZsQ5OKf-m5OmWXuS3KOCo5hO9CGGVRoXRtH9lGON1ClWKKxYJXDhXqr8M_HlwoM4lq0Fg6LrqBBO2aSTlJsJ6QiRKl4vQ6ASqPL1zse9G4i5cJ3wnNokyg5ZPsnVeIWVl9mgpcm_NqZZ8-0n6cRa6zpmdiDv9yf3jyF1-pOxrMprHy6XtPYzLXd0SyVP3q-BolVUcFqM_8lq7mgzTMY3c6Rx3V6NJLMzKyaYxHGwdge7D4X1-YCQITafsIHltwTgKd8SSzgVYa-lm4vEka0UR0P7BwAFAPNj3_9ojOBwzvtpD2yBBqPwzQqTEOGHTce11JdWz4sa_z6-nbfGN9cNLCmgTVeY-ngPz7BddCLEtcttq1HzsSfLE1nljpjGoLAj4XoXXrJYPExI8ciGVnBtFyE7-Xem3TbOeTYGa9LAqFc_1uWBVZarXEHLLJZiCgin8izvSjkwHQemDiiufd54L952H-TLipElTqh_6wHDmPL8IXLQrL4B0cYyRTlEzADBWOVlz5altnb_M3xcyrjOqBGxPilXMo4hfmUGQvtoN5KR71DgqwHHmnRPi1JHw46zS0jrV1c63DRTNhox-0KamO9TiE9wFh1-JiThVhgkEi5jzia9bkJ2t8A8CRM-cpu6WbX-ep0c5s8u0wIzqBYKYsDtr7OFTtRHQydrqW15pDy7BrXYFpvaSX3I1yBBG8PFwj04trw5P80M8hBuAzw0siZ42nq-ONtpag4qSgzDmvym9wvaZ4VLhpfTmIPCfWzjPUGgRyDr8OnJcIBQJaI34NkYNp_aWx1TqKITy-qb6YLM2l0yTGSEsJbQYy3GSDUmza5M3NajXre788LAFj4Z-MtTvkvBVqhZDwM9qiI.c3BGD2TyrKUDbUTrYPWGIA
        at io.helidon.security.jwt.SignedJwt.parseToken(SignedJwt.java:167)
        at io.helidon.security.providers.oidc.TenantAuthenticationHandler.validateToken(TenantAuthenticationHandler.java:421)
        at io.helidon.security.providers.oidc.TenantAuthenticationHandler.lambda$authenticate$12(TenantAuthenticationHandler.java:205)
        at io.helidon.common.reactive.SingleFlatMapSingle$FlatMapSubscriber.onNext(SingleFlatMapSingle.java:79)
        at io.helidon.common.reactive.SingleSubscription.request(SingleSubscription.java:50)
        at io.helidon.common.reactive.SingleFlatMapSingle$FlatMapSubscriber.request(SingleFlatMapSingle.java:111)
        at io.helidon.common.reactive.SingleOnErrorResumeWith$OnErrorResumeWithSubscriber.onSubscribe(SingleOnErrorResumeWith.java:67)
        at io.helidon.common.reactive.SingleFlatMapSingle$FlatMapSubscriber.onSubscribe(SingleFlatMapSingle.java:71)
        at io.helidon.common.reactive.SingleJust.subscribe(SingleJust.java:36)
        at io.helidon.common.reactive.SingleFlatMapSingle.subscribe(SingleFlatMapSingle.java:43)
        at io.helidon.common.reactive.SingleOnErrorResumeWith.subscribe(SingleOnErrorResumeWith.java:43)
        at io.helidon.common.reactive.CompletionSingle.toNullableStage(CompletionSingle.java:39)
        at io.helidon.common.LazyValueImpl.get(LazyValueImpl.java:118)
        at io.helidon.common.reactive.CompletionAwaitable.whenComplete(CompletionAwaitable.java:274)
        at io.helidon.common.reactive.CompletionAwaitable.whenComplete(CompletionAwaitable.java:33)
        at io.helidon.common.reactive.MultiFromCompletionStage.subscribe

Metadata

Metadata

Assignees

Labels

3.xIssues for 3.x version branchP3enhancementNew feature or requestsecurity

Type

Feature

Projects

Backlog

Status

Sprint Scope

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions