Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT access token inbound propagation fails when a JWT sent as segments starts with "Bearer" #19673

Closed
teddyjtorres opened this issue Dec 20, 2021 · 0 comments
Closed

JWT access token inbound propagation fails when a JWT sent as segments starts with "Bearer" #19673

teddyjtorres opened this issue Dec 20, 2021 · 0 comments
Assignees
@teddyjtorres
Labels
release bug This bug is present in a released version of Open Liberty release:22003 team:Security SSO
Projects
Security SSO

Comments

@teddyjtorres
Copy link
Contributor

teddyjtorres commented Dec 20, 2021
edited
Loading

Describe the bug
JWT access token inbound propagation fails when a JWT sent as segments starts with "Bearer".
Liberty has support to accept multiple headers from WebSeal that include portions of a JWT access token. The first header, "Authorization-segments", for example, indicates how many "n" segments follow. The rest of the headers "Authorization-1" through "Authorization-n" contain the JWT access token. When "Authorization-1" starts with "Bearer", the access token cannot be parsed correctly for inbound propagation.

If there is a stack trace, please include the FULL stack trace (without any [internal classes] lines in it). To find the full stack trace, you may need to check in $WLP_OUTPUT_DIR/messages.log

The stack trace is similar to,

.ibm.ws.security.openidconnect.client.jose4j.util.Jose4jUtil 3 Get exception
org.jose4j.jwt.consumer.InvalidJwtException: JWT processing failed. Additional details: [[17] Unable to process JOSE object (cause: org.jose4j.lang.JoseException: Parsing error: org.jose4j.json.internal.json_simple.parser.ParseException: Unexpected character (\u0005) at position 0.): Bearer <token value ... ...>
...
at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:413)
at com.ibm.ws.security.openidconnect.client.jose4j.util.Jose4jUtil.parseJwtWithoutValidation(Jose4jUtil.java:290)
at com.ibm.ws.security.openidconnect.client.jose4j.util.Jose4jUtil.createResultWithJose4JForJwt(Jose4jUtil.java:414)
at com.ibm.ws.security.openidconnect.client.AccessTokenAuthenticator.parseJwtToken(AccessTokenAuthenticator.java:455)
at com.ibm.ws.security.openidconnect.client.AccessTokenAuthenticator.authenticate(AccessTokenAuthenticator.java:136)
at com.ibm.ws.security.openidconnect.client.internal.OidcClientImpl.authenticate(OidcClientImpl.java:404)
at com.ibm.ws.security.openidconnect.client.internal.OidcClientImpl.authenticate(OidcClientImpl.java:360)
at com.ibm.ws.security.openidconnect.client.internal.OidcClientImpl.authenticate(OidcClientImpl.java:310)
at com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy.handleOidcClient(WebProviderAuthenticatorProxy.java:602)
at com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy.authenticate(WebProviderAuthenticatorProxy.java:461)
...

Caused by: org.jose4j.lang.JoseException: Parsing error: org.jose4j.json.internal.json_simple.parser.ParseException: Unexpected character (\u0005) at position 0.
at org.jose4j.json.JsonUtil.parseJson(JsonUtil.java:66)
at org.jose4j.jwx.Headers.setEncodedHeader(Headers.java:117)
at org.jose4j.jwx.JsonWebStructure.setEncodedHeader(JsonWebStructure.java:127)
at org.jose4j.jws.JsonWebSignature.setCompactSerializationParts(JsonWebSignature.java:110)
at org.jose4j.jwx.JsonWebStructure.fromCompactSerialization(JsonWebStructure.java:94)
at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:327)
... 39 more

Caused by: org.jose4j.json.internal.json_simple.parser.ParseException: Unexpected character (\u0005) at position 0.
at org.jose4j.json.internal.json_simple.parser.Yylex.yylex(Yylex.java:612)
at org.jose4j.json.internal.json_simple.parser.JSONParser.nextToken(JSONParser.java:269)
at org.jose4j.json.internal.json_simple.parser.JSONParser.parse(JSONParser.java:118)
at org.jose4j.json.internal.json_simple.parser.JSONParser.parse(JSONParser.java:81)
at org.jose4j.json.JsonUtil.parseJson(JsonUtil.java:62)
... 44 more

Steps to Reproduce
Steps to reproduce the bug

  1. Configure inbound propagation as documented in https://www.ibm.com/docs/en/was-liberty/nd?topic=connect-configuring-json-web-token-authentication-openid
  2. Create a request with "Authorization-segments" header indicating how many "n" segments follow. Create the rest of the headers, with "Authorization-segments-1" starting with "Bearer" and some token values, and then through "Authorization-segments-n" contain the rest of portions for the JWT access token.

Expected behavior
A clear and concise description of what you expected to happen.

If JWT segments are sent and the first header, "Authorization-segments-1", starts with "Bearer", it should be processed correctly as when a JWT is sent using the "Authorization: Bearer "

Diagnostic information:

  • OpenLiberty Version:
  • Affected feature(s) openidConnectClient-1.0
  • Java Version: [i.e. full output of java -version]
  • server.xml configuration (WITHOUT sensitive information like passwords)
  • If it would be useful, upload the messages.log file found in $WLP_OUTPUT_DIR/messages.log

Additional context
Add any other context about the problem here.
@teddyjtorres teddyjtorres added the release bug This bug is present in a released version of Open Liberty label Dec 20, 2021
@teddyjtorres teddyjtorres added this to Backlog in Security SSO Dec 20, 2021
@teddyjtorres teddyjtorres changed the title JWT access token inbound propagation fails when a JWT sent as segments start with "Bearer" JWT access token inbound propagation fails when a JWT sent as segments starts with "Bearer" Dec 20, 2021
@ayoho ayoho moved this from Backlog to Current Iteration in Security SSO Jan 10, 2022
teddyjtorres pushed a commit to teddyjtorres/open-liberty that referenced this issue Jan 31, 2022
Properly extract Bearer token from multiple HTTP headers for issue Op…
fefbea0 
…enLiberty#19673
@teddyjtorres teddyjtorres mentioned this issue Jan 31, 2022
Merged
teddyjtorres added a commit that referenced this issue Feb 1, 2022
@teddyjtorres
Merge pull request #19987 from teddyjtorres/19673-jwtSegments
9bf9c45 
Properly extract Bearer token from multiple HTTP headers for issue #19673
Security SSO automation moved this from Current Iteration to Done Feb 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@teddyjtorres teddyjtorres

Labels
release bug This bug is present in a released version of Open Liberty release:22003 team:Security SSO
Projects
Security SSO
Status: Done
Security SSO
  
Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@teddyjtorres @LibbyBot