Unsupported JWS algorithm RS256, must be HS256, HS384 or HS512 when I add the signed-install property to the atlassian-connect.json

jbolufer · September 21, 2021, 9:51am

Hi Team,

When I tried to add the signed-install property to the atlassian-connect.json file following the steps in the next topic: Action Required - Atlassian Connect installation lifecycle security improvements

The following error occurs when I try to install the app:

2021-09-21 11:31:36.497 ERROR 40003 --- [nio-8080-exec-8] c.a.c.s.i.a.j.JwtAuthenticationProvider  : com.nimbusds.jose.JOSEException: Unsupported JWS algorithm RS256, must be HS256, HS384 or HS512
2021-09-21 11:31:36.501  WARN 40003 --- [nio-8080-exec-8] c.a.c.s.i.a.jwt.JwtAuthenticationFilter  : Failed to authenticate request

org.springframework.security.authentication.BadCredentialsException: com.nimbusds.jose.JOSEException: Unsupported JWS algorithm RS256, must be HS256, HS384 or HS512
	at com.atlassian.connect.spring.internal.auth.jwt.JwtAuthenticationProvider.verifyToken(JwtAuthenticationProvider.java:179) ~[atlassian-connect-spring-boot-core-2.1.4.jar:na]
	at com.atlassian.connect.spring.internal.auth.jwt.JwtAuthenticationProvider.authenticate(JwtAuthenticationProvider.java:70) ~[atlassian-connect-spring-boot-core-2.1.4.jar:na]
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-5.4.6.jar:5.4.6]
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:201) ~[spring-security-core-5.4.6.jar:5.4.6]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:510) ~[spring-security-config-5.4.6.jar:5.4.6]
	at com.atlassian.connect.spring.internal.auth.jwt.JwtAuthenticationFilter.doFilterInternal(JwtAuthenticationFilter.java:69) ~[atlassian-connect-spring-boot-core-2.1.4.jar:na]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.6.jar:5.3.6]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:327) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:81) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:126) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:81) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:105) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:149) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:149) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.6.jar:5.3.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:103) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:89) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.6.jar:5.3.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.6.jar:5.3.6]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:211) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183) [spring-security-web-5.4.6.jar:5.4.6]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.3.6.jar:5.3.6]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.3.6.jar:5.3.6]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) [spring-web-5.3.6.jar:5.3.6]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.6.jar:5.3.6]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) [spring-web-5.3.6.jar:5.3.6]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.6.jar:5.3.6]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) [spring-web-5.3.6.jar:5.3.6]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.3.6.jar:5.3.6]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1707) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_202]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_202]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.45.jar:9.0.45]
	at java.lang.Thread.run(Thread.java:748) [na:1.8.0_202]
Caused by: com.atlassian.connect.spring.internal.jwt.JwtSignatureMismatchException: com.nimbusds.jose.JOSEException: Unsupported JWS algorithm RS256, must be HS256, HS384 or HS512
	at com.atlassian.connect.spring.internal.jwt.JwtReader.verify(JwtReader.java:124) ~[atlassian-connect-spring-boot-jwt-2.1.4.jar:na]
	at com.atlassian.connect.spring.internal.jwt.JwtReader.readAndVerify(JwtReader.java:51) ~[atlassian-connect-spring-boot-jwt-2.1.4.jar:na]
	at com.atlassian.connect.spring.internal.auth.jwt.JwtAuthenticationProvider.verifyToken(JwtAuthenticationProvider.java:170) ~[atlassian-connect-spring-boot-core-2.1.4.jar:na]
	... 74 common frames omitted
Caused by: com.nimbusds.jose.JOSEException: Unsupported JWS algorithm RS256, must be HS256, HS384 or HS512
	at com.nimbusds.jose.crypto.impl.MACProvider.getJCAAlgorithmName(MACProvider.java:87) ~[nimbus-jose-jwt-9.8.jar:9.8]
	at com.nimbusds.jose.crypto.MACVerifier.verify(MACVerifier.java:198) ~[nimbus-jose-jwt-9.8.jar:9.8]
	at com.nimbusds.jose.JWSObject.verify(JWSObject.java:359) ~[nimbus-jose-jwt-9.8.jar:9.8]
	at com.atlassian.connect.spring.internal.jwt.JwtReader.verify(JwtReader.java:116) ~[atlassian-connect-spring-boot-jwt-2.1.4.jar:na]
	... 76 common frames omitted

In addition to adding the signed-install property, do you have to do something else?

Thanks in advance.

Best regards.

HanjooSong · September 21, 2021, 11:58pm

Hi @jbolufer ,
From your stack trace, I can see that you are using atlassian-connect-spring-boot v2.1.4.
Could you please try again with the latest version? v2.2.3

jbolufer · September 22, 2021, 6:24am

Hi @HanjooSong ,

Thanks for the reply

With v2.2.4 version and signed-install parameter in the atlassian-connect.json file, I can install. But is that enough? Or it is mandatory to do the verification using the JWT for our app to work after October 29?

I ask this because from the installation callback:

 @EventListener
  public void installed(AddonInstalledEvent event) {}

There is no Request parameter and I do not know how obtain and decrypt the JWT header as indicated in the documentation: https://developer.atlassian.com/cloud/jira/platform/understanding-jwt-for-connect-apps/#decoding-a-jwt-token

Thanks in advance

Best regards.

HanjooSong · September 23, 2021, 12:17am

Hi @jbolufer ,
Setting signed-install parameter in the descriptor file will be enough and you can release your app anytime before 29th Oct. The new JWT authentication will be handled inside the atlassian-connect-spring-boot framework.
The developer documentation page outlines the implementation for those who wants to build their own app. If you want to verify that your app is correctly receiving the new JWT from the auth header, you can use tunnelling such as ngrok to inspect the incoming requests(or you can try debugging a request filters class such as AsymmetricAuthenticationFilter.class)

jbolufer · September 23, 2021, 6:58am

Hi @HanjooSong,

Ok. Thank you very much for all help.

Best regards.

parag · October 27, 2021, 10:57am

Hi @HanjooSong , we are seeing similar errors in “Confluence” app installation. We had 2.1.4 version of atlassian connect spring boot lib, and we tried upgrading to 2.2.3 but getting different exception, it’s kind of dead-lock.

With 2.1.4 we are getting exception -

org.springframework.security.authentication.BadCredentialsException: com.nimbusds.jose.JOSEException: Unsupported JWS algorithm RS256, must be HS256, HS384 or HS512

While with 2.2.3 we are getting exception -

Oct 27 10:00:52 ip-172-31-42-174 web: com.atlassian.connect.spring.internal.jwt.JwtInvalidSigningAlgorithmException: Expected JWT to be signed with 'RS256' but it was signed with 'HS256' instead