Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

500 GSI Runtime Exception: null on mTLS handshake on Gematik IDP PAR_Auth request #107

Closed
henryallsuch opened this issue Oct 18, 2024 · 3 comments
Closed

500 GSI Runtime Exception: null on mTLS handshake on Gematik IDP PAR_Auth request #107

henryallsuch opened this issue Oct 18, 2024 · 3 comments

Comments

@henryallsuch
Copy link

After MTLS has become required we are getting this response on 0.15.1

TU

{"time":"2024-10-18T11:15:09.564525333Z","severity":"DEBUG","logger":"com.oviva.ehealthid.relyingparty.util.LoggingHttpClient","message":"response: POST https://gsi-mtls.dev.gematik.s
olutions/PAR_Auth 500","thread_name":"XNIO-1 task-2","serviceContext":{"service":"ehealthid-rp","version":"0.15.1"},"url":"https://gsi-mtls.dev.gematik.solutions/PAR_Auth","status":"5
00","headers":":status: 500\ncontent-security-policy: default-src 'self' http: https: data: blob: 'unsafe-inline'\ncontent-type: application/json;charset=utf-8\ndate: Fri, 18 Oct 2024
 11:15:09 GMT\nserver: nginx","method":"POST","body":"{\"error\":\"invalid_request\",\"error_description\":\"GSI Runtime Exception: null\"}"}

RU

{"time":"2024-10-18T11:25:53.834046929Z","severity":"DEBUG","logger":"com.oviva.ehealthid.relyingparty.util.LoggingHttpClient","message":"response: POST https://gsi-ref-mtls.dev.gematik.solutions/PAR_Auth 500","thread_name":"XNIO-1 task-2","serviceContext":{"service":"ehealthid-rp","version":"0.0.1-SNAPSHOT"},"url":"https://gsi-ref-mtls.dev.gematik.solutions/PAR_Auth","status":"500","headers":":status: 500\ncontent-security-policy: default-src 'self' http: https: data: blob: 'unsafe-inline'\ncontent-type: application/json;charset=utf-8\ndate: Fri, 18 Oct 2024 11:25:53 GMT\nserver: nginx","method":"POST","body":"{\"error\":\"invalid_request\",\"error_description\":\"GSI Runtime Exception: null\"}"}

Any idea what could be causing this error?
@thomasrichner-oviva
Copy link
Contributor

Currently the mTLS client certificate is generated on boot. I've seen similar things when the Gematik IDP has cached something older.

Can you give it an hour or two and check again? Sometimes it takes up to 24h :/

The IDPs also tend to not honor the entity-statement expiries.

Probably it would be useful to store the generated keys on disk or similar for the future.

@thomasrichner-oviva
Copy link
Contributor

There are currently two issues with the Gematik IdP:

  • caching of certificates is no honored, so you might get caching issues
  • the id_token contains claims that differ in type from the official standard, specifically the amr claim is a plain string

Both will be adressed soon.

@thomasrichner-oviva
Copy link
Contributor

Update:

  • Caching is/will not be honored soon. Probably we need to find a workaround.
  • amr id_token fixes should come this or next week

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@henryallsuch @thomasrichner-oviva