Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-5319

two calls to introspection endpoint for one request with JWT

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • None
    • None
    • Security
    • None
    • Hide

      {{}}

      configuration:

      {{/opt/eap/bin/jboss-cli.sh --connect
      /subsystem=elytron/token-realm=jwt-realm:add( principal-claim="preferred_username", oauth2-introspection={introspection-url=http://rhsso-application-adcubum-syrius.dreq-sso.svc.cluster.local:8080/auth/realms/adcubum-syrius/protocol/openid-connect/token/introspect, client-id=syrius-erp-application-server-oauth2-client, client-secret=5ced837d-d36d-46fa-bc22-db37afd43d27})
      /subsystem=elytron/security-domain=jwt-domain:add(realms=[\{realm=jwt-realm,role-decoder=groups-to-roles}], permission-mapper=default-permission-mapper, default-realm=jwt-realm)
      /subsystem=elytron/http-authentication-factory=jwt-http-authentication:add(security-domain=jwt-domain, http-server-mechanism-factory=global, mechanism-configurations=[{mechanism-name="BEARER_TOKEN", mechanism-realm-configurations=[

      {realm-name="jwt-realm"}

      ]}])
      /subsystem=undertow/application-security-domain=jwt-domain:add(http-authentication-factory=jwt-http-authentication)
      /subsystem=undertow:write-attribute(name=default-security-domain, value="jwt-domain")
      shutdown --restart=true}}

      Show
      {{}} configuration: {{/opt/eap/bin/jboss-cli.sh --connect /subsystem=elytron/token-realm=jwt-realm:add( principal-claim="preferred_username", oauth2-introspection={introspection-url= http://rhsso-application-adcubum-syrius.dreq-sso.svc.cluster.local:8080/auth/realms/adcubum-syrius/protocol/openid-connect/token/introspect , client-id=syrius-erp-application-server-oauth2-client, client-secret=5ced837d-d36d-46fa-bc22-db37afd43d27}) /subsystem=elytron/security-domain=jwt-domain:add(realms= [\{realm=jwt-realm,role-decoder=groups-to-roles}] , permission-mapper=default-permission-mapper, default-realm=jwt-realm) /subsystem=elytron/http-authentication-factory=jwt-http-authentication:add(security-domain=jwt-domain, http-server-mechanism-factory=global, mechanism-configurations=[{mechanism-name="BEARER_TOKEN", mechanism-realm-configurations=[ {realm-name="jwt-realm"} ]}]) /subsystem=undertow/application-security-domain=jwt-domain:add(http-authentication-factory=jwt-http-authentication) /subsystem=undertow:write-attribute(name=default-security-domain, value="jwt-domain") shutdown --restart=true}}
    • Undefined

    Description

      We found out that the token introspection endpoint is called two times for one incoming request!
      We expect for one http request just one call to introspection endpoint. Is it configuration issue or a bug? Can it be avoided?

       

      {{`[0m�[32m09:03:52,808 DEBUG [io.undertow.request] (default I/O-2) Matched prefix path /api for path /api/hello
      �[0m09:03:52,808 TRACE [org.wildfly.security.http.servlet] (default task-1) Created ServletSecurityContextImpl enableJapi=true, integratedJaspi=true, applicationContext=default-host /api
      �[0m�[32m09:03:52,808 DEBUG [io.undertow.request.security] (default task-1) Security constraints for request /api/hello are [SingleConstraintMatch{emptyRoleSemantic=PERMIT, requiredRoles=[]}]
      �[0m09:03:52,808 TRACE [org.wildfly.security.http.servlet] (default task-1) No AuthConfigProvider for layer=HttpServlet, appContext=default-host /api
      �[0m09:03:52,809 TRACE [org.wildfly.security.http.servlet] (default task-1) JASPIC Unavailable, using HTTP authentication.
      �[0m09:03:52,809 TRACE [org.wildfly.security] (default task-1) No CachedIdentity to restore.
      �[0m09:03:52,809 TRACE [org.wildfly.security] (default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1@39d896cc] for mechanism [BEARER_TOKEN]
      �[0m09:03:52,809 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='BEARER_TOKEN' host-name='eap-app-dreq-sso.apps.dev-pg.clusters.adcubum.com' protocol='http'
      �[0m09:03:52,809 TRACE [org.wildfly.security] (default task-1) Evidence verification: evidence = org.wildfly.security.evidence.BearerTokenEvidence@56fced18 evidencePrincipal = null
      �[0m�[32m09:03:52,809 DEBUG [org.wildfly.security] (default task-1) Opening connection to token introspection endpoint http://rhsso-application-adcubum-syrius.dreq-sso.svc.cluster.local:8080/auth/realms/adcubum-syrius/protocol/openid-connect/token/introspect
      �[0m�[32m09:03:52,825 DEBUG [org.wildfly.security] (default task-1) Opening connection to token introspection endpoint http://rhsso-application-adcubum-syrius.dreq-sso.svc.cluster.local:8080/auth/realms/adcubum-syrius/protocol/openid-connect/token/introspect
      �[0m09:03:52,827 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [f1testuser] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []
      �[0m09:03:52,828 TRACE [org.wildfly.security] (default task-1) Authorizing principal f1testuser.
      �[0m09:03:52,829 TRACE [org.wildfly.security] (default task-1) Authorizing against the following attributes: [sub, email_verified, allowed-origins, iss, active, typ, Roles, preferred_username, client_id, aud, acr, realm_access, azp, scope, exp, session_state, iat, jti, username] => [46f5706a-e3c3-401f-8881-6b31c432a95f, false, http://app1.dreq-sso.apps.dev-pg.clusters.adcubum.com, http://syrius-erp-application-server.dreq-sso.apps.dev-pg.clusters.adcubum.com, http://syrius-erp-presentation-server.dreq-sso.apps.dev-pg.clusters.adcubum.com, http://sso-adcubum-syrius.dreq-sso.apps.dev-pg.clusters.adcubum.com/auth/realms/adcubum-syrius, true, Bearer, user, f1testuser, apigateway, apigateway, syrius-erp-presentation-server-oauth2-client, app1, syrius-erp-application-server-oauth2-client, syrius-demoapplication-fbi-bl, 1,

      {"roles":["user"]}

      , apigateway, email user profile, 1614701950, 1ff4309c-dba3-4e41-bd53-287a0b4a1697, 1614671950, 429c8d4c-db9d-4dec-acf2-a9643c62be23, f1testuser]
      �[0m09:03:52,831 TRACE [org.wildfly.security] (default task-1) Permission mapping: identity [f1testuser] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
      �[0m09:03:52,831 TRACE [org.wildfly.security] (default task-1) Authorization succeed
      �[0m09:03:52,831 TRACE [org.wildfly.security] (default task-1) Handling AuthorizeCallback: authenticationID = null authorizationID = null authorized = true
      �[0m�[32m09:03:52,831 DEBUG [org.wildfly.security.http.bearer] (default task-1) Token authentication successful.
      �[0m09:03:52,831 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: succeed
      �[0m09:03:52,831 TRACE [org.wildfly.security] (default task-1) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=f1testuser, securityDomain=org.wildfly.security.auth.server.SecurityDomain@4ddbe2bf, authorizationIdentity=org.wildfly.security.auth.realm.token.TokenSecurityRealm$TokenRealmIdentity$1@5da1cf01, realmInfo=RealmInfo

      {name='jwt-realm', securityRealm=org.wildfly.security.auth.realm.token.TokenSecurityRealm@61009232}

      , creationTime=2021-03-02T09:03:52.827Z}
      �[0m09:03:52,832 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [f1testuser] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []
      �[0m�[32m09:03:52,832 DEBUG [io.undertow.request.security] (default task-1) Authenticated as f1testuser, roles []
      �[0m�[32m09:`}}

       

       

       

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. ELY-2104 two calls to introspection endpoint for one request with JWT

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-5338 two calls to introspection endpoint for one request with JWT

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              dvilkola@redhat.com Diana Krepinska
              goran.sustek Goran Sustek
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: