Unsupported JWS algorithm RS256, must be HS256, HS384 or HS512 when I add the signed-install property to the atlassian-connect.json

Hi Team,

When I tried to add the signed-install property to the atlassian-connect.json file following the steps in the next topic: Action Required - Atlassian Connect installation lifecycle security improvements

The following error occurs when I try to install the app:

2021-09-21 11:31:36.497 ERROR 40003 --- [nio-8080-exec-8] c.a.c.s.i.a.j.JwtAuthenticationProvider  : com.nimbusds.jose.JOSEException: Unsupported JWS algorithm RS256, must be HS256, HS384 or HS512
2021-09-21 11:31:36.501  WARN 40003 --- [nio-8080-exec-8] c.a.c.s.i.a.jwt.JwtAuthenticationFilter  : Failed to authenticate request

org.springframework.security.authentication.BadCredentialsException: com.nimbusds.jose.JOSEException: Unsupported JWS algorithm RS256, must be HS256, HS384 or HS512
	at com.atlassian.connect.spring.internal.auth.jwt.JwtAuthenticationProvider.verifyToken(JwtAuthenticationProvider.java:179) ~[atlassian-connect-spring-boot-core-2.1.4.jar:na]
	at com.atlassian.connect.spring.internal.auth.jwt.JwtAuthenticationProvider.authenticate(JwtAuthenticationProvider.java:70) ~[atlassian-connect-spring-boot-core-2.1.4.jar:na]
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-5.4.6.jar:5.4.6]
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:201) ~[spring-security-core-5.4.6.jar:5.4.6]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:510) ~[spring-security-config-5.4.6.jar:5.4.6]
	at com.atlassian.connect.spring.internal.auth.jwt.JwtAuthenticationFilter.doFilterInternal(JwtAuthenticationFilter.java:69) ~[atlassian-connect-spring-boot-core-2.1.4.jar:na]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.6.jar:5.3.6]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:327) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:81) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:126) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:81) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:105) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:149) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:149) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.6.jar:5.3.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:103) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:89) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.6.jar:5.3.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.6.jar:5.3.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:211) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.3.6.jar:5.3.6]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.3.6.jar:5.3.6]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) [spring-web-5.3.6.jar:5.3.6]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.6.jar:5.3.6]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) [spring-web-5.3.6.jar:5.3.6]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.6.jar:5.3.6]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) [spring-web-5.3.6.jar:5.3.6]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.6.jar:5.3.6]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1707) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_202]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_202]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at java.lang.Thread.run(Thread.java:748) [na:1.8.0_202]
Caused by: com.atlassian.connect.spring.internal.jwt.JwtSignatureMismatchException: com.nimbusds.jose.JOSEException: Unsupported JWS algorithm RS256, must be HS256, HS384 or HS512
	at com.atlassian.connect.spring.internal.jwt.JwtReader.verify(JwtReader.java:124) ~[atlassian-connect-spring-boot-jwt-2.1.4.jar:na]
	at com.atlassian.connect.spring.internal.jwt.JwtReader.readAndVerify(JwtReader.java:51) ~[atlassian-connect-spring-boot-jwt-2.1.4.jar:na]
	at com.atlassian.connect.spring.internal.auth.jwt.JwtAuthenticationProvider.verifyToken(JwtAuthenticationProvider.java:170) ~[atlassian-connect-spring-boot-core-2.1.4.jar:na]
	... 74 common frames omitted
Caused by: com.nimbusds.jose.JOSEException: Unsupported JWS algorithm RS256, must be HS256, HS384 or HS512
	at com.nimbusds.jose.crypto.impl.MACProvider.getJCAAlgorithmName(MACProvider.java:87) ~[nimbus-jose-jwt-9.8.jar:9.8]
	at com.nimbusds.jose.crypto.MACVerifier.verify(MACVerifier.java:198) ~[nimbus-jose-jwt-9.8.jar:9.8]
	at com.nimbusds.jose.JWSObject.verify(JWSObject.java:359) ~[nimbus-jose-jwt-9.8.jar:9.8]
	at com.atlassian.connect.spring.internal.jwt.JwtReader.verify(JwtReader.java:116) ~[atlassian-connect-spring-boot-jwt-2.1.4.jar:na]
	... 76 common frames omitted

In addition to adding the signed-install property, do you have to do something else?

Thanks in advance.

Best regards.

Hi @jbolufer ,
From your stack trace, I can see that you are using atlassian-connect-spring-boot v2.1.4.
Could you please try again with the latest version? v2.2.3

Hi @HanjooSong ,

Thanks for the reply

With v2.2.4 version and signed-install parameter in the atlassian-connect.json file, I can install. But is that enough? Or it is mandatory to do the verification using the JWT for our app to work after October 29?

I ask this because from the installation callback:

 @EventListener
  public void installed(AddonInstalledEvent event) {}

There is no Request parameter and I do not know how obtain and decrypt the JWT header as indicated in the documentation: https://developer.atlassian.com/cloud/jira/platform/understanding-jwt-for-connect-apps/#decoding-a-jwt-token

Thanks in advance

Best regards.

Hi @jbolufer ,
Setting signed-install parameter in the descriptor file will be enough and you can release your app anytime before 29th Oct. The new JWT authentication will be handled inside the atlassian-connect-spring-boot framework.
The developer documentation page outlines the implementation for those who wants to build their own app. If you want to verify that your app is correctly receiving the new JWT from the auth header, you can use tunnelling such as ngrok to inspect the incoming requests(or you can try debugging a request filters class such as AsymmetricAuthenticationFilter.class)

Hi @HanjooSong,

Ok. Thank you very much for all help.

Best regards.