[jboss-jira] [JBoss JIRA] (WFWIP-294) JWT is rejected if signature matching public key is not first in JWK set
Darran Lofthouse (Jira)
issues at jboss.org
Thu Jan 9 10:47:24 EST 2020
[ https://issues.redhat.com/browse/WFWIP-294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13944989#comment-13944989 ]
Darran Lofthouse commented on WFWIP-294:
----------------------------------------
I have just tried updating my quickstart project and I can not reproduce, here is the branch I am testing: -
https://github.com/darranl/microprofile-jwt/tree/jwks
The following command builds the project and deploys to WildFly: -
mvn install wildfly:deploy
The following command generates a token: -
mvn exec:java -Dexec.mainClass=org.wildfly.quickstarts.mpjwt.TokenUtil -Dexec.classpathScope=test -Dexec.args="testUser 2017-09-15 Echoer Subscriber"
Then the final command is used for the call but with the full token added: -
curl -H "Authorization: Bearer eyJ...59g" http://localhost:8080/microprofile-jwt/rest/secured/hello
> JWT is rejected if signature matching public key is not first in JWK set
> ------------------------------------------------------------------------
>
> Key: WFWIP-294
> URL: https://issues.redhat.com/browse/WFWIP-294
> Project: WildFly WIP
> Issue Type: Bug
> Components: MP JWT
> Reporter: Jan Kasik
> Assignee: Darran Lofthouse
> Priority: Blocker
> Attachments: jwks.json, jwt.base64
>
>
> When public key on remote server is configured to be JWK set, the JWT which has correctly configured key ID to aim on matching public key from the set is rejected if matching public key is not on first position in the set array.
> Attached is "flawed" key set with "blue-key" placed on first position in array when JOSE header has {{kid}} set to "orange-key" and JWT itself is signed by private key which is from "orange" key pair.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list