Jump to content
Welcome to our new Citrix community!

OAUTH: failed to decrypt JWE (OAuth private_key_jwt)

Recommended Posts

Initially we saw an error  “Error trying to validate Access Token. Please contact your administrator” which we got sorted out by generating a new certificate and then updating the data to the IdP side (IdP is an external service we have no control over).


Currently we’re seeing the following error message on the endpoints “Error trying to decrypt Access Token. Please contact your administrator” and in the ADC ns.log:

Mar  9 09:10:30 <local0.info> XXX  03/09/2022:07:10:30 GMT 1224-3-adc01 0-PPE-0 : default AAATM Message 283764 0 :  "OAUTH: failed to decrypt JWE, certkey used XXX, tokenlen 3064"


We have bound the certificate globally on the VPN (as mentioned in here https://support.citrix.com/article/CTX234873, step 9).


We have configured the OAuth Action according to the IdP well-known configuration

Client ID: Provided by the IdP
Authorization Endpoint: According to well-known
Token Endpoint: According to well-known
Cert Endpoint: According to well-known

Outside the GUI, we have set the tokenEndpointAuthMethod via CLI to private_key_jwt.




We have also tried implementing the following to OAuthAction: ID Token Decrypt Endpoint, Limiting the Allowed Token Algorithms, converted the certificate to JWK and added that one in to the Certificate File Path, Audience and even User Name Field.


However, for me it seems that we're just unable to decrypt the Access Token as the endpoint message shows. Any ideas where to look next?

Link to comment
Share on other sites

We've gotten a bit further now.


ns.log revealed:

"AAA: JWE: Either alg <RSA-OAEP> does not match RSA-OAEP or enc <A128CBC-HS256> does not match A256GCM"

... we got the IdP to change the encryption algorithm from A128CBC-HS256 to A256GCM and now we're able to decrypt the access token. However, the next issue we're seeing is:

"AAA JSON-PARSE: ns_aaa_parse_json_response, error parsing, Byte Index: 1, Error Code: 0, Error String: invalid char in json text. "

Unfortunately the log doesn't reveal what character is invalid in the json, but I'll try to extract the json in clear text to see the contents and spot potential characters that might cause this issue.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...