https://www.gooddata.com/ logo
Join Slack
Powered by
Hi please i am getting this response for GPG SSO a...
# gooddata-platform
j
Hi please i am getting this response for GPG SSO auth:
Copy code
{
  "error": {
    "errorClass": "PgpMessageDecryptException",
    "trace": "",
    "message": "Cannot decrypt SSO message from sso provider=kofo. Invalid sessionId",
    "component": "Webapp",
    "errorId": "4ea8e13a-fc23-4cd7-8a94-89016f8ed702",
    "errorCode": "sso.decrypt",
    "parameters": []
  }
}
I do not fully understand the error message - what session id is invalid and how can i make it valid? Claims should be valid. If that helps, domain is 
<https://gooddata.svc.omnetic.com>
I am little confused, because we are successfully using this method on other workspace, difference is only in domain+workspace and keys. Request is:
Copy code
POST {{baseUri}}/gdc/account/customerlogin 
{
  "pgpLoginRequest": {
    "encryptedClaims": "<redacted>",
    "ssoProvider": "kofo",
    "targetUrl": "/gdc/account/token"
  }
}
1
i doublechecked public key of the sso provider (
{{baseUri}}/gdc/domains/{{domainId}}/authentication/providers/kofo
) and it matches the private key pair with which i am signing the message
i
Hi Jan, The error itself points us to the “sso.decrypt” issue. When I check our LOG, it looks like one of your keys is invalid. 
java.security.InvalidKeyException: Supplied key (org.bouncycastle.jcajce.provider.asymmetric.edec.BCEdDSAPublicKey) is not a RSAPublicKey instance
j
Thank you for fast answer. Well i can try to rotate the keys and try again, if that helps.
i
Yes, I would give it a shot. And please make sure that you are using one of the supported Encryption Algorithms.
j
i will doublecheck the encryptions now
because i just did a fresh rotation, 200 for change public key to the sso provider
but again 400 with exactly the same message for new secret
Copy code
{
  "error": {
    "errorClass": "PgpMessageDecryptException",
    "trace": "",
    "message": "Cannot decrypt SSO message from sso provider=kofo. Invalid sessionId",
    "component": "Webapp",
    "errorId": "6f894f57-4723-4051-a72b-ffa5ac5ba4cc",
    "errorCode": "sso.decrypt",
    "parameters": []
  }
}
i
Sorry to hear so. I will check our record again. In the meanwhile, could you let me know which user are you trying to authenticate, please? Also, the “targetUrl” seems to be set bit strangely. Usually it a relative path to some of your Dashboards or Insights.
j
the last message i was signing was
Copy code
{
  "email": "<mailto:jan.mikes@carvago.com|jan.mikes@carvago.com>",
  "validity": 1686092197
}
✔️ 1
yeah, we just need to set the cookies, we control our dashboards programatically -> exactly this request works in different workspace. i can try to set and use keys from the other workspace - that would confirm it is keys related
as i already tried rotate them 3 times with different settings and still same error 😄
i
Thanks, that would be great. Fingers crossed for you.
I found another error indicating incorrect URL: 
Cannot get instance of PGPEncryptedDataList from input stream.
Please let me know how does it go.
m
I don't think the SSO key is related to workspace but rather to the whole environment/domain). From the error message it seems like you might be posting the key in some wrong format. Do you have a chance to check if the format is same as in your other SSOs which work?
j
sorry, tried once again and it went through, seems i had extra space in the end
✔️ 1
on first attempt, even with same gpg key from other workspace, i get
Copy code
{
  "error": {
    "errorClass": "PgpMessageDecryptException",
    "trace": "",
    "message": "Cannot decrypt SSO message from sso provider=kofo. Invalid sessionId",
    "component": "Webapp",
    "errorId": "e0d022e1-a5bd-4dec-bd60-9a0087cba143",
    "errorCode": "sso.decrypt",
    "parameters": []
  }
}
will try everything again from scratch to make sure i made no mistake
well, i deleted all keys, started completely from scratch, imported keys from dev and it works 😞 thank you for your help, it means there really must be something wrong with the keys on our side
im glad it works, but not glad i gotta find whats wrong with the keys 😄
b
@Jan Mikeš the key pair was probably generated with incorrect encryption algorithm as we can see following in our logs:
Copy code
unknown PGP public key algorithm encountered: 86
How are you generating the PGP keypair?
j
Copy code
❯ gpg --full-generate-key --openpgp
gpg (GnuPG) 2.4.0; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (14) Existing key from card
Your selection? 9
Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (4) NIST P-384
   (6) Brainpool P-256
Your selection? 1
tried as well 1 - RSA + RSA
does not ask me for cipher
b
thx for the info, I'll check what could be wrong... as far as I remember the option 1 was definitely working for me in the past, but something might have changed in the new gpg versions
actually I just realized... the claims should be encrypted by gooddata public key, so your key is likely okay ... the processing doesn't even get to the step of validating the signature using your public key uploaded to the platform... so there must be something wrong during the encryption process I've just tested it with gnupg version 2.4.2 - commands
Copy code
gpg --armor -u <my_key_id> --output signed.txt --sign claims.json
gpg --armor --output enc.txt --encrypt --recipient <mailto:security@gooddata.com|security@gooddata.com> signed.txt
and it was working fine
j
oh, i found out what is wrong
after few hours 😄
```gpg --armor -u <my_key_id> --output signed.txt --sign claims.json
gpg --armor --output enc.txt --encrypt --recipient security@gooddata.com signed.txt```
yeah, was doing that, 1st sign with our private key, then sign with gooddata public
(or viceversa.. encrypt vs sign)
to explain what was wrong all the time
when i generated keypair, somehow it generated 2 keys (I have no idea why):
Copy code
❯ gpg --list-keys --keyid-format=long -v <http://carvago.com|carvago.com>
gpg: enabled compatibility flags:
gpg: using pgp trust model

pub   rsa3072/4E2F4F5FA4F1D45F 2022-09-13 [SC]
      4B06F51A041D4743A04883AE4E2F4F5FA4F1D45F
uid                 [ unknown] <mailto:data@carvago.com|data@carvago.com> <data@carvago.com>

pub   ed25519/40D683AC36262977 2023-01-03 [SC]
      01112616A76667554A54C2FD40D683AC36262977
uid                 [ unknown] <mailto:data@carvago.com|data@carvago.com> <data@carvago.com>
sub   cv25519/6F9B3791D76DD4F5 2023-01-03 [E]
even 
gpg --import
did import 2 keys
i started comparing to the dev key (which worked) and i started to be suspicious at that point, because importing that imported only one key
when i delete the 1st one (
rsa3072
) and signed with the same 
<mailto:data@carvago.com|data@carvago.com>
key, it started working 🤷
i have no idea how and why, at least i know what was the root cause of the problem all the time
maybe some anomaly on my machine, though i am happy it is solved ❤️
thank y all for your time
Open in Slack
PreviousNext
Powered by