Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 3.14.0.Final, 4.6.0.Final
Affects Version/s: None
Component/s: None
Labels:
None

Description

Hi,

It looks like even the latest code at https://github.com/resteasy/Resteasy/blob/master/security/jose-jwt/src/main/java/org/jboss/resteasy/jose/jws/ does not follow the RFC 7519 (JWT) specification correctly when it comes to signing. The RFC 7519 specification refers to the RFC 7515 specification (JWS) which states that the JWS Signing Input is "ASCII(BASE64URL(UTF8(JWS Protected Header)) || '.' ||
BASE64URL(JWS Payload))". But Resteasy only signs the raw JWS Payload. This can obviously lead to serious problems, when a signed JWT is transferred between two parties and one of them is using Resteasy while the other is using a RFC 7519 compliant implementation.

Fixing this issue should be fairly simple, in fact one could refer to the keycloak implementation where the issue has already been fixed: https://github.com/keycloak/keycloak/commit/0636cd898f064cf1b36e153ca1ad5c99cd6b6d91

Attachments

Issue Links

is incorporated by

WFLY-13999 Upgrade RESTEasy to 3.13.3.Final

Closed

Activity

People

Assignee:: r searls

Reporter:: Dennis Leung (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2020/08/26 11:43 AM

Updated:: 2020/12/02 10:58 AM

Resolved:: 2020/11/26 10:55 AM