I’ve got a local setup running in docker compose and the used images are based upon the docker examples in the AM/AMSTER/DS/IDM zip files. I also programmed a Consent Server which is use in OIDC flow and which works just fine. Up until now I’ve used the ldapService chain authentication chain but wanted to use an Authentication Tree. So I configured a tree which just does password authentication but when i call this tree I get the following exception:
Caused by: java.lang.IllegalArgumentException: Invalid offset/length combination\n\tat java.base/javax.crypto.spec.SecretKeySpec.(Unknown Source)
at org.forgerock.json.jose.jwe.handlers.encryption.AESCBCHMACSHA2ContentEncryptionHandler.encKey(AESCBCHMACSHA2ContentEncryptionHandler.java:175)
at org.forgerock.json.jose.jwe.handlers.encryption.AESCBCHMACSHA2ContentEncryptionHandler.encrypt(AESCBCHMACSHA2ContentEncryptionHandler.java:65)
at org.forgerock.json.jose.jwe.handlers.encryption.DirectEncryptionHandler.encryptPlaintext(DirectEncryptionHandler.java:58)at org.forgerock.json.jose.jwe.EncryptedJwt.build(EncryptedJwt.java:185)
at org.forgerock.json.jose.jws.SignedJwt.build(SignedJwt.java:173)
at org.forgerock.json.jose.builders.EncryptedThenSignedJwtBuilder.build(EncryptedThenSignedJwtBuilder.java:65)
at org.forgerock.openam.session.stateless.JwtSessionMapper.asJwt(JwtSessionMapper.java:138)\n\tat org.forgerock.openam.session.stateless.StatelessSessionManager.generate(StatelessSessionManager.java:214)
at org.forgerock.openam.session.stateless.StatelessOperations$StatelessSessionBuilder.build(StatelessOperations.java:422)\n\tat org.forgerock.openam.session.authentication.DelegatedAuthenticationOperations$DelegatedAuthenticationSessionBuilder.build(DelegatedAuthenticationOperations.java:345)
at com.iplanet.dpro.session.monitoring.MonitoredBuilder.build(MonitoredBuilder.java:99)
at org.forgerock.openam.core.rest.authn.trees.AuthTrees.constructAuthSession(AuthTrees.java:549)
at org.forgerock.openam.core.rest.authn.trees.AuthTrees.invokeTree(AuthTrees.java:260)
at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:257)
at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:157)
I thought I may be happening because I constructed my own keystore containing custom keys/secrets/certificates but changing the alias for am.authn.trees.transientstate.encryption does change anything to the exception. Also looking in the code of AESCBCHMACSHA2ContentEncryptionHandler doesn’t give a clue (except that the code looks wrong)
private static SecretKey macKey(final Key combinedKey, final EncryptionMethod method) { return new SecretKeySpec(combinedKey.getEncoded(), 0, **method.getKeyOffset()**, method.getMacAlgorithm()); } private static SecretKey encKey(final Key combinedKey, final EncryptionMethod method) { return new SecretKeySpec(combinedKey.getEncoded(), **method.getKeyOffset(), method.getKeyOffset()**, method.getEncryptionAlgorithm()); }
Is there anyone who has encountered the same and knows how to solve this problem?
Using AM 7.3.0/DS 7.3.3/IDM 7.3.0/Amster 7.3.0 and did play around with the creation of the am-base image as the configuration was missing stuff which was present when