Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

release bug - OL 18.0.0.1 <mpJwt> configuration ignores the jwksUri attribute #3117

Closed
hrstoyanov opened this issue Apr 13, 2018 · 7 comments

Comments

@hrstoyanov
Copy link

commented Apr 13, 2018

According to this document one can utilize the JWKS specification and fetch the signing public key(s) from a uri, instead of dealing with keys, stored in the keystore file:

<mpJwt 
     id="myMpJwt"
     jwksUri="https://example.com/api/jwk"
    ...
</mpJwt>

I don't think this is working in OL 18.0.0.1: If I configure this JWKS URI in my configuration, i see this failure in the logs:

[4/13/18 13:55:19:352 PDT] 000006b2 com.ibm.ws.logging.internal.impl.IncidentImpl                I FFDC1015I: An FFDC Incident has been created: "com.ibm.websphere.security.jwt.InvalidClaimException: CWWKS6029E: The JSON Web Token (JWT) cannot be validated because a signing key cannot be found. The configured signature algorithm [RS256] requires a key to validate the token. com.ibm.ws.security.jwt.internal.ConsumerImpl 189" at ffdc_18.04.13_13.55.19.0.log
[4/13/18 13:55:19:364 PDT] 000006b2 com.ibm.ws.logging.internal.impl.IncidentImpl                I FFDC1015I: An FFDC Incident has been created: "com.ibm.websphere.security.jwt.InvalidTokenException: CWWKS6031E: The JSON Web Token (JWT) consumer [jwtUserConsumer] cannot process the token string. CWWKS6029E: The JSON Web Token (JWT) cannot be validated because a signing key cannot be found. The configured signature algorithm [RS256] requires a key to validate the token.  com.ibm.ws.security.mp.jwt.tai.TAIJwtUtils 47" at ffdc_18.04.13_13.55.19.1.log
[4/13/18 13:55:19:364 PDT] 000006b2 com.ibm.ws.security.mp.jwt.tai.TAIJwtUtils                   E CWWKS5524E: The MicroProfile JWT feature encountered an error while creating a JWT by using the [jwtUserConsumer] configuration and the token included in the request. CWWKS6031E: The JSON Web Token (JWT) consumer [jwtUserConsumer] cannot process the token string. CWWKS6029E: The JSON Web Token (JWT) cannot be validated because a signing key cannot be found. The configured signature algorithm [RS256] requires a key to validate the token. 
[4/13/18 13:55:19:365 PDT] 000006b2 com.ibm.ws.security.mp.jwt.tai.MicroProfileJwtTAI            E CWWKS5523E: The MicroProfile JWT feature cannot authenticate the request because a valid JWT cannot be created from the token included in the request. CWWKS5524E: The MicroProfile JWT feature encountered an error while creating a JWT by using the [jwtUserConsumer] configuration and the token included in the request. CWWKS6031E: The JSON Web Token (JWT) consumer [jwtUserConsumer] cannot process the token string. CWWKS6029E: The JSON Web Token (JWT) cannot be validated because a signing key cannot be found. The configured signature algorithm [RS256] requires a key to validate the token. 
[4/13/18 13:55:19:443 PDT] 000006b2 .ibm.ws.jaxrs.2.0.common:1.0.20.cl180120180309-2209(id=113)] I Setting the server's publish address to be /rest/

There are no logs indicating any attempt to download the signing PK from the uri.

@chunlongliang-ibm

This comment has been minimized.

Copy link

commented Apr 13, 2018

  1. Do you import JWK endpoint's certificate into Liberty's trust store? This is required for ssl connection.
  2. can you send me a sample JWT and JWK? want to make sure JWK contains "kid" which is included in JWK.
@chunlongliang-ibm chunlongliang-ibm self-assigned this Apr 13, 2018
@hrstoyanov

This comment has been minimized.

Copy link
Author

commented Apr 13, 2018

Try this at jwt.io:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlJETTVNall4TkRrMk1VTkNSVFJGUXpsR01FWTNPRGREUWtWQ05FTTNPRVV4UXpWRFJUazJOQSJ9.eyJpc3MiOiJodHRwczovL3Job3duLWRldi5hdXRoMC5jb20vIiwic3ViIjoiYXV0aDB8NWFjZTlhYTNjODdhNjE0OTRlOTZkNGRkIiwiYXVkIjpbImh0dHBzOi8vd2ViYXBwIiwiaHR0cHM6Ly9yaG93bi1kZXYuYXV0aDAuY29tL3VzZXJpbmZvIl0sImlhdCI6MTUyMzY1NjQ5NCwiZXhwIjoxNTIzNjYzNjk0LCJhenAiOiJpWWdWSEg3VTUzTjdPRnZzM1cxbnZ2UU5za3YzckRrUSIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUifQ.IYTlNJyDmhNZrT8RUGp0BTK6iioCSHrwm-5rf_hbUT2Xbrh_2cYqhtxq0n55xWwmqwQZAhDHupRamSVMEXYbQp7Km0CB-w5CYymYEvZ0-23_wUp5C_hFm2dNp_0k7CbS1YngYO4Nh_X5M5mawwTwFXuyxVZLyQ52p1N_6qsryVv8tOGf-BH47HCcgS_4Zra1-UWia4lwTrroO3mdh4kLGXWUBT-RaR8n4IbP5Rd_UE3CSO6G_Z_vOOhYO8EaUkbVDnNFe6cgDScmVvVGnJPBKhQLbu_kUyN1v0g4E6OemPIcdknHya1i4fhGLN_mDZpoOWtpOhoEWrxTljxGMPMlhA

You should decipher it into this:

HEADER
{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "RDM5MjYxNDk2MUNCRTRFQzlGMEY3ODdDQkVCNEM3OEUxQzVDRTk2NA"
}
PAYLOAD:
{
  "iss": "https://rhown-dev.auth0.com/",
  "sub": "auth0|5ace9aa3c87a61494e96d4dd",
  "aud": [
    "https://webapp",
    "https://rhown-dev.auth0.com/userinfo"
  ],
  "iat": 1523656494,
  "exp": 1523663694,
  "azp": "iYgVHH7U53N7OFvs3W1nvvQNskv3rDkQ",
  "scope": "openid profile"
}

It is issues by auth0.com and the JWK keys are here: https://rhown-dev.auth0.com/.well-known/jwks.json

To your other question: Auth0.Com has a valid SSL certificate. This should be verifiable out-of-the-box with any JDK distribution and default cacert file. Why do I need to import auth0.com cert file in OL own keystore file???

Also, if the jwksUri signing key fetch fails, should I not see something in the logs for that ? Currently I see nothing

@hrstoyanov

This comment has been minimized.

Copy link
Author

commented Apr 13, 2018

I should mention that If I download the signing (public) key/certificate and put it in a keystore file, all works out. I ma just trying to avoid having to build a keystore file altogether. If possible. Sounds like the JWKS uri is a great way to do that.

@chunlongliang-ibm

This comment has been minimized.

Copy link

commented Apr 13, 2018

Liberty OL as a client to make HTTPS connection to JWK. To get HTTPS working, as part of hand shaking, JWK's certificate must be in OL's trust store. If you have trace enabled, you will see ssl handshaking exception.

@hrstoyanov

This comment has been minimized.

Copy link
Author

commented Apr 13, 2018

Then maybe this is something to reconsider: auth0.com, okta.com, many others public auth providers, all have valid certificates for their JWKS urls that should be verifiable with the default JDK root certificates only, no need for extra work, OL should cascade down to JDK's default cacerts and not require new one.

The reason I am asking for this is because building a keystore file require access to openssl utility (not easily found in Windows) for certs conversion, and is painful in automated deployment environment.

@hrstoyanov

This comment has been minimized.

Copy link
Author

commented Jul 14, 2018

Are there any planned changes for this issue?

@hrstoyanov

This comment has been minimized.

Copy link
Author

commented Jul 30, 2018

For using JDK's default cacert, see explanation by @acdemyers in issue #4377

@hrstoyanov hrstoyanov closed this Jul 30, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.