Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-16985

Internal Server Error when using JWT signed with unknown PK

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Blocker Blocker
    • None
    • 27.0.0.Beta1
    • MP JWT
    • None
    • Hide
      1. start the server:
        standalone.sh --server-config=standalone-microprofile.xml
          
      1. configure the server - verify the following already exist in the server config and, if they don't, add them:
        /extension=org.wildfly.extension.microprofile.jwt-smallrye:add(module=org.wildfly.extension.microprofile.jwt-smallrye)
        /subsystem=microprofile-jwt-smallrye:add()
         
      1. deploy the attached WAR file testJwtSignedByPinkKeyJsonPk.war to the server
      1. hit app's secured HTTP endpoint using a JWT signed with a PK which the server doesn't know:
        curl --location --request GET http://127.0.0.1:8080/testJwtSignedByPinkKeyJsonPk/secured-endpoint \
        --header 'Authorization: Bearer eyJraWQiOiJwaW5rLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0=.eyJqdGkiOiI5MDk3MWViMy1jMGNmLTRiMDgtYjQyZC1jN2IyN2ExYWQ4ZTAiLCJzdWIiOiJGQUtFX1VTRVIiLCJncm91cHMiOlsiZ3JvdXAyIiwiZ3JvdXAxIl0sImF1ZCI6Im1pY3JvcHJvZmlsZS1qd3QtdGVzdHN1aXRlIiwiaXNzIjoiaXNzdWVyIiwiaWF0IjoxNjYyOTg4MDY1LCJleHAiOjE2NjI5OTE2NjUsInVwbiI6IkZBS0VfVVNFUiIsInByZWZlcnJlZF91c2VybmFtZSI6IkZBS0VfVVNFUiJ9.BSkvECwdD0w_t6OaqKVgJnCiND_4QPR7MqWJy-Kge8SEBfCbS4NAlAxk9p4pArjiAcqOyCuQ_eoe0IkPxPUL6T0t8e0hXLwE_MzcgDpfhImBI5c5F-gIDH6ZOU1d3POIVnmJss24-eohQRUDx5pqoJC_3bG9lcayu5eFeLLa9LgZARbRFKhXnZz9TvCeZrYEwbLMAiWh5Fo9e0I8GJMGXw0BBVCs6DVaJrIgEfb881lKbCSAX_6i5KLyqseTu0WvzqTXYv8tPNpoPf3ANXdILF4e6y6O5pGzoKb766uIBwasBei6SMDH6TdbOmXGWCQAZC6sMItjo9U9MvqNSdQVQg=='
          
      Show
      start the server: standalone.sh --server-config=standalone-microprofile.xml configure the server - verify the following already exist in the server config and, if they don't, add them: /extension=org.wildfly.extension.microprofile.jwt-smallrye:add(module=org.wildfly.extension.microprofile.jwt-smallrye) /subsystem=microprofile-jwt-smallrye:add() deploy the attached WAR file testJwtSignedByPinkKeyJsonPk.war to the server hit app's secured HTTP endpoint using a JWT signed with a PK which the server doesn't know: curl --location --request GET http://127.0.0.1:8080/testJwtSignedByPinkKeyJsonPk/secured-endpoint \ --header 'Authorization: Bearer eyJraWQiOiJwaW5rLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0=.eyJqdGkiOiI5MDk3MWViMy1jMGNmLTRiMDgtYjQyZC1jN2IyN2ExYWQ4ZTAiLCJzdWIiOiJGQUtFX1VTRVIiLCJncm91cHMiOlsiZ3JvdXAyIiwiZ3JvdXAxIl0sImF1ZCI6Im1pY3JvcHJvZmlsZS1qd3QtdGVzdHN1aXRlIiwiaXNzIjoiaXNzdWVyIiwiaWF0IjoxNjYyOTg4MDY1LCJleHAiOjE2NjI5OTE2NjUsInVwbiI6IkZBS0VfVVNFUiIsInByZWZlcnJlZF91c2VybmFtZSI6IkZBS0VfVVNFUiJ9.BSkvECwdD0w_t6OaqKVgJnCiND_4QPR7MqWJy-Kge8SEBfCbS4NAlAxk9p4pArjiAcqOyCuQ_eoe0IkPxPUL6T0t8e0hXLwE_MzcgDpfhImBI5c5F-gIDH6ZOU1d3POIVnmJss24-eohQRUDx5pqoJC_3bG9lcayu5eFeLLa9LgZARbRFKhXnZz9TvCeZrYEwbLMAiWh5Fo9e0I8GJMGXw0BBVCs6DVaJrIgEfb881lKbCSAX_6i5KLyqseTu0WvzqTXYv8tPNpoPf3ANXdILF4e6y6O5pGzoKb766uIBwasBei6SMDH6TdbOmXGWCQAZC6sMItjo9U9MvqNSdQVQg=='
    • ---
    • Reported by QE

      When a JWT is sent in an HTTP request as Authorization Bearer token and the JWT is signed with a PK that is unknown to the server, the server is expected to respond with HTTP 401 Unauthorized;

      Instead we get HTTP 500 Internal Server Error;

              fjuma1@redhat.com Farah Juma
              tborgato@redhat.com Tommaso Borgato
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: