-
Notifications
You must be signed in to change notification settings - Fork 583
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
release bug - OL 18.0.0.1 <mpJwt> configuration ignores the jwksUri attribute #3117
Comments
|
Try this at jwt.io:
You should decipher it into this:
It is issues by auth0.com and the JWK keys are here: https://rhown-dev.auth0.com/.well-known/jwks.json To your other question: Auth0.Com has a valid SSL certificate. This should be verifiable out-of-the-box with any JDK distribution and default cacert file. Why do I need to import auth0.com cert file in OL own keystore file??? Also, if the jwksUri signing key fetch fails, should I not see something in the logs for that ? Currently I see nothing |
I should mention that If I download the signing (public) key/certificate and put it in a keystore file, all works out. I ma just trying to avoid having to build a keystore file altogether. If possible. Sounds like the JWKS uri is a great way to do that. |
Liberty OL as a client to make HTTPS connection to JWK. To get HTTPS working, as part of hand shaking, JWK's certificate must be in OL's trust store. If you have trace enabled, you will see ssl handshaking exception. |
Then maybe this is something to reconsider: auth0.com, okta.com, many others public auth providers, all have valid certificates for their JWKS urls that should be verifiable with the default JDK root certificates only, no need for extra work, OL should cascade down to JDK's default cacerts and not require new one. The reason I am asking for this is because building a keystore file require access to openssl utility (not easily found in Windows) for certs conversion, and is painful in automated deployment environment. |
Are there any planned changes for this issue? |
For using JDK's default cacert, see explanation by @acdemyers in issue #4377 |
According to this document one can utilize the JWKS specification and fetch the signing public key(s) from a uri, instead of dealing with keys, stored in the keystore file:
I don't think this is working in OL 18.0.0.1: If I configure this JWKS URI in my configuration, i see this failure in the logs:
There are no logs indicating any attempt to download the signing PK from the uri.
The text was updated successfully, but these errors were encountered: