Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11109

Elytron token-realm doesn't support unsigned tokens

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.1.0.ER1
    • 7.1.0.DR18
    • Security
    • None

      Verification of JWT tokens with empty signature part fails in Elytron.

      The Elytron token-realm can be configured to not verify JWT token signature.

      /subsystem=elytron/token-realm=JwtRealm:add(jwt={})
      

      The JWT specification describes tokens without signature in RFC 7519 Section 6.

      When user is comming with such a token the validation in Elytron fails.

      Sample token:

      eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJpc3MiOiJpc3N1ZXIud2lsZGZseS5vcmciLCJzdWIiOiJlbHl0cm9uQHdpbGRmbHkub3JnIiwiZXhwIjoyMDUxMjIyMzk5LCJhdWQiOiJlbHl0cm9uLXRlc3QifQ.
      
      Header:
      {
        "alg": "none",
        "typ": "JWT"
      }
      
      Payload:
      {
        "iss": "issuer.wildfly.org",
        "sub": "elytron@wildfly.org",
        "exp": 2051222399,
        "aud": "elytron-test"
      }
      

      The problem is probably in this piece of code in JwtValidator class:

              String[] parts = jwt.split("\\.");
      
              if (parts.length < 3) {
                  throw log.tokenRealmJwtInvalidFormat();
              }
      

      Even if the token correctly contains 2 dots, the split returns array of lenght 2 (because the last part is empty). Additional negative-integer argument to the split() method could help here:

      jwt.split("\\.", -1);
      

              jkalina@redhat.com Jan Kalina (Inactive)
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Ondrej Kotek Ondrej Kotek
              Ondrej Kotek Ondrej Kotek
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: