Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1193

Elytron token-realm doesn't support unsigned tokens

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 1.1.0.Beta48
    • None
    • None
    • None

      Verification of JWT tokens with empty signature part fails in Elytron.

      The Elytron token-realm can be configured to not verify JWT token signature.

      /subsystem=elytron/token-realm=JwtRealm:add(jwt={})

      The JWT specification describes tokens without signature in RFC 7519 Section 6.

      When user is comming with such a token the validation in Elytron fails.

      Sample token:

      eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJpc3MiOiJpc3N1ZXIud2lsZGZseS5vcmciLCJzdWIiOiJlbHl0cm9uQHdpbGRmbHkub3JnIiwiZXhwIjoyMDUxMjIyMzk5LCJhdWQiOiJlbHl0cm9uLXRlc3QifQ.

Header:
{
  "alg": "none",
  "typ": "JWT"
}

Payload:
{
  "iss": "issuer.wildfly.org",
  "sub": "elytron@wildfly.org",
  "exp": 2051222399,
  "aud": "elytron-test"
}

      The problem is probably in this piece of code in JwtValidator class:

              String[] parts = jwt.split("\\.");

        if (parts.length < 3) {
            throw log.tokenRealmJwtInvalidFormat();
        }

      Even if the token correctly contains 2 dots, the split returns array of lenght 2 (because the last part is empty). Additional negative-integer argument to the split() method could help here: 

      jwt.split("\\.", -1);

              jkalina@redhat.com Jan Kalina (Inactive)
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: