release bug - OL 18.0.0.1 <mpJwt> configuration ignores the jwksUri attribute

[hrstoyanov]

According to this document one can utilize the JWKS specification and fetch the signing public key(s) from a uri, instead of dealing with keys, stored in the keystore file:

<mpJwt 
     id="myMpJwt"
     jwksUri="https://example.com/api/jwk"
    ...
</mpJwt>

I don't think this is working in OL 18.0.0.1: If I configure this JWKS URI in my configuration, i see this failure in the logs:

[4/13/18 13:55:19:352 PDT] 000006b2 com.ibm.ws.logging.internal.impl.IncidentImpl                I FFDC1015I: An FFDC Incident has been created: "com.ibm.websphere.security.jwt.InvalidClaimException: CWWKS6029E: The JSON Web Token (JWT) cannot be validated because a signing key cannot be found. The configured signature algorithm [RS256] requires a key to validate the token. com.ibm.ws.security.jwt.internal.ConsumerImpl 189" at ffdc_18.04.13_13.55.19.0.log
[4/13/18 13:55:19:364 PDT] 000006b2 com.ibm.ws.logging.internal.impl.IncidentImpl                I FFDC1015I: An FFDC Incident has been created: "com.ibm.websphere.security.jwt.InvalidTokenException: CWWKS6031E: The JSON Web Token (JWT) consumer [jwtUserConsumer] cannot process the token string. CWWKS6029E: The JSON Web Token (JWT) cannot be validated because a signing key cannot be found. The configured signature algorithm [RS256] requires a key to validate the token.  com.ibm.ws.security.mp.jwt.tai.TAIJwtUtils 47" at ffdc_18.04.13_13.55.19.1.log
[4/13/18 13:55:19:364 PDT] 000006b2 com.ibm.ws.security.mp.jwt.tai.TAIJwtUtils                   E CWWKS5524E: The MicroProfile JWT feature encountered an error while creating a JWT by using the [jwtUserConsumer] configuration and the token included in the request. CWWKS6031E: The JSON Web Token (JWT) consumer [jwtUserConsumer] cannot process the token string. CWWKS6029E: The JSON Web Token (JWT) cannot be validated because a signing key cannot be found. The configured signature algorithm [RS256] requires a key to validate the token. 
[4/13/18 13:55:19:365 PDT] 000006b2 com.ibm.ws.security.mp.jwt.tai.MicroProfileJwtTAI            E CWWKS5523E: The MicroProfile JWT feature cannot authenticate the request because a valid JWT cannot be created from the token included in the request. CWWKS5524E: The MicroProfile JWT feature encountered an error while creating a JWT by using the [jwtUserConsumer] configuration and the token included in the request. CWWKS6031E: The JSON Web Token (JWT) consumer [jwtUserConsumer] cannot process the token string. CWWKS6029E: The JSON Web Token (JWT) cannot be validated because a signing key cannot be found. The configured signature algorithm [RS256] requires a key to validate the token. 
[4/13/18 13:55:19:443 PDT] 000006b2 .ibm.ws.jaxrs.2.0.common:1.0.20.cl180120180309-2209(id=113)] I Setting the server's publish address to be /rest/

There are no logs indicating any attempt to download the signing PK from the uri.

[chunlongliang-ibm]

1. Do you import JWK endpoint's certificate into Liberty's trust store? This is required for ssl connection.
2. can you send me a sample JWT and JWK? want to make sure JWK contains "kid" which is included in JWK.

[hrstoyanov]

Try this at jwt.io:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlJETTVNall4TkRrMk1VTkNSVFJGUXpsR01FWTNPRGREUWtWQ05FTTNPRVV4UXpWRFJUazJOQSJ9.eyJpc3MiOiJodHRwczovL3Job3duLWRldi5hdXRoMC5jb20vIiwic3ViIjoiYXV0aDB8NWFjZTlhYTNjODdhNjE0OTRlOTZkNGRkIiwiYXVkIjpbImh0dHBzOi8vd2ViYXBwIiwiaHR0cHM6Ly9yaG93bi1kZXYuYXV0aDAuY29tL3VzZXJpbmZvIl0sImlhdCI6MTUyMzY1NjQ5NCwiZXhwIjoxNTIzNjYzNjk0LCJhenAiOiJpWWdWSEg3VTUzTjdPRnZzM1cxbnZ2UU5za3YzckRrUSIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUifQ.IYTlNJyDmhNZrT8RUGp0BTK6iioCSHrwm-5rf_hbUT2Xbrh_2cYqhtxq0n55xWwmqwQZAhDHupRamSVMEXYbQp7Km0CB-w5CYymYEvZ0-23_wUp5C_hFm2dNp_0k7CbS1YngYO4Nh_X5M5mawwTwFXuyxVZLyQ52p1N_6qsryVv8tOGf-BH47HCcgS_4Zra1-UWia4lwTrroO3mdh4kLGXWUBT-RaR8n4IbP5Rd_UE3CSO6G_Z_vOOhYO8EaUkbVDnNFe6cgDScmVvVGnJPBKhQLbu_kUyN1v0g4E6OemPIcdknHya1i4fhGLN_mDZpoOWtpOhoEWrxTljxGMPMlhA

You should decipher it into this:

HEADER
{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "RDM5MjYxNDk2MUNCRTRFQzlGMEY3ODdDQkVCNEM3OEUxQzVDRTk2NA"
}
PAYLOAD:
{
  "iss": "https://rhown-dev.auth0.com/",
  "sub": "auth0|5ace9aa3c87a61494e96d4dd",
  "aud": [
    "https://webapp",
    "https://rhown-dev.auth0.com/userinfo"
  ],
  "iat": 1523656494,
  "exp": 1523663694,
  "azp": "iYgVHH7U53N7OFvs3W1nvvQNskv3rDkQ",
  "scope": "openid profile"
}

It is issues by auth0.com and the JWK keys are here: https://rhown-dev.auth0.com/.well-known/jwks.json

To your other question: Auth0.Com has a valid SSL certificate. This should be verifiable out-of-the-box with any JDK distribution and default cacert file. Why do I need to import auth0.com cert file in OL own keystore file???

Also, if the jwksUri signing key fetch fails, should I not see something in the logs for that ? Currently I see nothing

[hrstoyanov]

I should mention that If I download the signing (public) key/certificate and put it in a keystore file, all works out. I ma just trying to avoid having to build a keystore file altogether. If possible. Sounds like the JWKS uri is a great way to do that.

[chunlongliang-ibm]

Liberty OL as a client to make HTTPS connection to JWK. To get HTTPS working, as part of hand shaking, JWK's certificate must be in OL's trust store. If you have trace enabled, you will see ssl handshaking exception.

[hrstoyanov]

Then maybe this is something to reconsider: auth0.com, okta.com, many others public auth providers, all have valid certificates for their JWKS urls that should be verifiable with the default JDK root certificates only, no need for extra work, OL should cascade down to JDK's default cacerts and not require new one.

The reason I am asking for this is because building a keystore file require access to openssl utility (not easily found in Windows) for certs conversion, and is painful in automated deployment environment.

[hrstoyanov]

Are there any planned changes for this issue?

[hrstoyanov]

For using JDK's default cacert, see explanation by @acdemyers in issue #4377