Internal Server Error after login via openid-connect

Help / Discuss
1

Hi,
I try to switch from LDAP to openidc.
The xwiki will send the user to the IDP and then the IDP will send the user back to the xwiki. So far so good. But when the user is send back, the xwiki will die with " HTTP Status 500 – Internal Server Error".

The only error I can see:

04-Jun-2025 11:48:16.766 SEVERE [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-8 - https://XXXXX] org.apache.cat
alina.core.StandardWrapperValve.invoke Servlet.service() for servlet [default] in context with path [/xwiki] threw exception [Failed to handle Resource Reference [path = authenticator/callback, endpoint = authen
ticator, pathSegments = [callback]]] with root cause                                                                                                                                                               
        com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found

Other applications running in this realm don’t have this problem.

2

This error suggest that the provider sent a signed token, but the authenticator does not have any information on how to verify the signature.

Would be interesting to have an idea on how exactly you configured it.

3

After hours of searching, I stumbled across similar behaviour in another product. It seems to be due to the fact that the underlying library does not recognise all the algorithms permitted in the RFC. Because there it was suggested to explicitly set RS256 as the algorithm. I tried this and the token could be checked.

Here is the article where I found it:
https://liferay.dev/ask/questions/development/signed-jwt-rejected-another-algorithm-expected-or-no-matching-key-s-

And here is the RFC with the possible algorithms:

In my case the IDP will use PS512 by default.

So I think xwiki is also affected, that it will not support all of the RFC.

4

It’s strange, from what I can see on nimbus-jose-jwt/src/main/java/com/nimbusds/jose/JWSAlgorithm.java at master · felx/nimbus-jose-jwt · GitHub, PS512 seems to be supported. So it feels more like it was not “enabled” for some reason. AFAIK the algorithms are listed in the provider configuration endpoint (which is why I asked you in the previous message what you configured, in this case it would especially be about the Provider / oidc.provider property).

Would have been interesting to see the complete error since I’m not sure which verifier failed here, but your application server is apparently configured to only print the root cause. It would probably help a lot if you could enable debug log to at least know what it was trying to do when it failed.

5

In in trace log I see the token. When I “feed” https://jwt.io/ with it, I can see that the token is correct signet with PS512.

Screenshot 2025-06-05 at 09-49-29 JSON Web Tokens - jwt.io
Screenshot 2025-06-05 at 09-49-29 JSON Web Tokens - jwt.io1453×438 76.5 KB

But I the stack trance don’t have more informations:

 05-Jun-2025 09:27:18.752 SEVERE [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-10] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet [resourceReferenceHandler] threw exception
        com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found
                at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:357)
                at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:321)
                at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:254)
                at org.xwiki.contrib.oidc.auth.internal.endpoint.CallbackOIDCEndpoint.parseIdToken(CallbackOIDCEndpoint.java:336)
                at org.xwiki.contrib.oidc.auth.internal.endpoint.CallbackOIDCEndpoint.handle(CallbackOIDCEndpoint.java:223)
                at org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:134)
                at org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:108)
                at org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain.handleNext(DefaultResourceReferenceHandlerChain.java:79)
                at org.xwiki.resource.internal.AbstractResourceReferenceHandlerManager.handle(AbstractResourceReferenceHandlerManager.java:82)
                at org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:159)
                at org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87)
                at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154)
                at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154)
                at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:661)
                at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:425)
                at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:330)
                at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:294)
                at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154)
                at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154)
                at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:117)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:179)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:154)
                at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
                at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
                at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
                at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670)
                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346)
                at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:424)
                at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
                at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928)
                at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1786)
                at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
                at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
                at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
                at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
                at java.base/java.lang.Thread.run(Thread.java:840)
6

I think I found where the problem is and created Loading....

It should hopefully work better in 2.18.1 (but did not really have a provider to make sure).

7

Hi, this will be no problem, because at my provider (an Keycloak) I can set the algorithm and test it. On my side it will now work, with the default algorithm from the IDP.

Thanks so much.