[jboss-jira] [JBoss JIRA] (WFWIP-293) Current implementation of MP-JWT doesn't require claims which should be required

Darran Lofthouse (Jira) issues at jboss.org
Thu Jan 9 04:41:03 EST 2020 

    [ https://issues.redhat.com/browse/WFWIP-293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13944525#comment-13944525 ] 

Darran Lofthouse commented on WFWIP-293:
----------------------------------------

[~jkasik] I think this one needs to be rejected, after investigating this one and attempting to implement a fix there is clearly come ambiguity within the specification that needs to be clarified.  Most importantly this behaviour is within SmallRye JWT which is already being used within both Thorntail and Quarkus.

After attempting to make the complete set of required claims (Except "upn" which has a defined fallback strategy) firstly the SmallRye JWT testsuite fails due to missing claims (if that was the only failure obviously the correct step would be to fix those tests) - I then execute the MicroProfile JWT TCK with the change and the majority of the tests subsequently fail so even the TCK is not sending in the "required" set of claims.

At this stage I don't think it is a good strategy to make this complete set required, JWT token authentication is very much about interoperability so releasing a strict implementation I believe will cause more problems than it solves.

The following issue actually already exists against the specification: -
  https://github.com/eclipse/microprofile-jwt-auth/issues/128
Also the following issue is questioning the "required" status of the groups claim: -
  https://github.com/eclipse/microprofile-jwt-auth/issues/129

So instead of an immediate code change I am going to see if we can kick start some discussions to evolve the JWT specification and hopefully in the not too distant future have a spec with clarifications applied.

> Current implementation of MP-JWT doesn't require claims which should be required
> --------------------------------------------------------------------------------
>
>                 Key: WFWIP-293
>                 URL: https://issues.redhat.com/browse/WFWIP-293
>             Project: WildFly WIP
>          Issue Type: Bug
>          Components: MP JWT
>            Reporter: Jan Kasik
>            Assignee: Darran Lofthouse
>            Priority: Critical
>
> Chapter 4.1 of MP-JWT 1.1 recommends minimal set of JWT claims which should be required.
> Current implementation doesn't check for following claims and returns 200/OK if they are missing:
> * {{upn}}
> * {{jti}}
> * {{groups}}
> * {{iat}}
> * {{sub}}



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list