OAuth2: Cannot decrypt access token from store

Mr_Ronfo · January 7, 2020, 1:46pm

Hi, starting from the Spotify binding as inspiration, I’m building a new binding with a bridge that needs to authenticate towards an OAuth2 external service provider.

Using the core OAuth2 library, I’ve managed to get the whole authentication and services request flows to work pretty smoothly while OSGi contanier is up and running.

Thing is that, restarting the OSGi container from my Eclipse IDE, instead of having OAuth2 service to retrieve the previously saved Access Token from internal store (which should be the correct behaviour, like where - in a Production env - the user stop/start his openhab instance), I receive the following error in console:

13:43:34.673 [-thingHandler-1] DEBUG o.o.b.s.i.h.SmartherModuleHandler:237 - Exception checking authorization: 
org.eclipse.smarthome.core.auth.client.oauth2.OAuthException: Cannot decrypt access token from store
    at org.eclipse.smarthome.auth.oauth2client.internal.OAuthClientServiceImpl.getAccessTokenResponse(OAuthClientServiceImpl.java:325)
    ... 10 common frames omitted
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
	at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)
	at com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)
	at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
	at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446)
	at javax.crypto.Cipher.doFinal(Cipher.java:2164)
	at org.eclipse.smarthome.auth.oauth2client.internal.cipher.SymmetricKeyCipher.decrypt(SymmetricKeyCipher.java:122)
	at org.eclipse.smarthome.auth.oauth2client.internal.OAuthStoreHandlerImpl.decryptToken(OAuthStoreHandlerImpl.java:183)
	at org.eclipse.smarthome.auth.oauth2client.internal.OAuthStoreHandlerImpl.loadAccessTokenResponse(OAuthStoreHandlerImpl.java:122)
	at org.eclipse.smarthome.auth.oauth2client.internal.OAuthClientServiceImpl.getAccessTokenResponse(OAuthClientServiceImpl.java:323)
	... 10 common frames omitted

Seems a very strange behaviour to me, as the access token itself is fine and perfectly working until I resart the OSGi container…

Any suggestion ?

Thanks,

hilbrand · January 7, 2020, 2:45pm

The OAuth2 keys are stored using a generated key. In the IDE this key is not persisted and a new key is generated on each startup. This will cause that the OAuth2 keys stored can’t be decrypted. I haven’t looked into this of why it’s recreated every time, but possible there is a way to just keep 1 key and not recreate it every time.

Mr_Ronfo · January 7, 2020, 3:11pm

Thanks @hilbrand, good spot!
I’ll look into that asap and post my findings in case I’d eventually come up with something useful.

Cheers,

splatch · January 7, 2020, 8:28pm

WRT persistence of configs see: Binding configuration does not persist we might think of something similar for oauth token storage.