Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 1.1.0.Beta48
    • Component/s: None
    • Labels:
      None

      Description

      Verification of JWT tokens with empty signature part fails in Elytron.

      The Elytron token-realm can be configured to not verify JWT token signature.

      /subsystem=elytron/token-realm=JwtRealm:add(jwt={})
      

      The JWT specification describes tokens without signature in RFC 7519 Section 6.

      When user is comming with such a token the validation in Elytron fails.

      Sample token:

      eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJpc3MiOiJpc3N1ZXIud2lsZGZseS5vcmciLCJzdWIiOiJlbHl0cm9uQHdpbGRmbHkub3JnIiwiZXhwIjoyMDUxMjIyMzk5LCJhdWQiOiJlbHl0cm9uLXRlc3QifQ.
      
      Header:
      {
        "alg": "none",
        "typ": "JWT"
      }
      
      Payload:
      {
        "iss": "issuer.wildfly.org",
        "sub": "elytron@wildfly.org",
        "exp": 2051222399,
        "aud": "elytron-test"
      }
      

      The problem is probably in this piece of code in JwtValidator class:

              String[] parts = jwt.split("\\.");
      
              if (parts.length < 3) {
                  throw log.tokenRealmJwtInvalidFormat();
              }
      

      Even if the token correctly contains 2 dots, the split returns array of lenght 2 (because the last part is empty). Additional negative-integer argument to the split() method could help here:

      jwt.split("\\.", -1);
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  honza889 Jan Kalina
                  Reporter:
                  jcacek Josef Cacek
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: