Allow unverified JWT about smallrye-jwt HOT 12 CLOSED

For those looking for the code of how to get an unverified JsonWebToken object from the token string, this code should do the trick:

    public JsonWebToken decodeTokenUnverified(String tokenString) throws InvalidJwtException {
        JwtConsumer consumer = new JwtConsumerBuilder()
                .setSkipAllValidators()
                .setDisableRequireSignature()
                .setSkipSignatureVerification()
                .build();

        JwtClaims claimsSet = consumer.processToClaims(tokenString);
        return new DefaultJWTCallerPrincipal(tokenString, claimsSet);
    }

And how will this inject it into the quarkus-smallrye security context for authorization? (For RolesAllowed purposes)

from smallrye-jwt.

See the documentation, Custom Factories, how to inject custom factories which will bypass the verification,
https://github.com/smallrye/smallrye-jwt/blob/master/doc/modules/ROOT/pages/configuration.adoc

from smallrye-jwt.

@FreifeldRoyi What I can suggest is to register a custom JWTCallerPrincipalFactory, similarly to the way it is done for the Thorntail Keycloak integration. There you'd just parse the token with Jose4J and use DefaultJWTCallerPrincipal.
Let me know how it goes please

from smallrye-jwt.

@FreifeldRoyi if we update smallrye-jwt to allow for the unverified tokens then it won't pass any security review, even though it would be done with some configuration, and as in your case, you can be assured enough that it won't be a problem. So I'll close this issue, but I'll wait till you confirm the customization works in principle for you

from smallrye-jwt.

Is there any preference doing that instead of implementing a parser in Jax-rs filter and adding to request context?

from smallrye-jwt.

@FreifeldRoyi No, not really, if all you need is to use MP JWT API, then indeed just convert it into JsonWebToken and set it as a new (JAX-RS) security context

from smallrye-jwt.

Hello!

There was a whole conversation about this (https://quarkusio.zulipchat.com/#narrow/stream/187030-users/topic/MP-JWT.20validation.20skip). The thing is at some point You do not need to verify the token, but You still want to get the roles out of it and use the quarkus-jwt for authorization purposes.

It makes it hard to use in bigger solutions that have the validation done before it reaches the quarkus application (part of the whole cluster-eco-system).

Would injecting JWTCallerPrincipalFactory make it possible for me to extract the roles from the un-verified token and inject them into the quarkus security principal used for role matching? (I tried it briefly and I could not find a way to inject it). Is there a solution that is not too hacky-slashy in the global view of software development? One that can be reused in all microservices of the eco-system that is not copy paste this solution manually and override the default implementation?

I was wondering if this is going to live, or get discarded. It is quite important for me to know.

from smallrye-jwt.

@omgbanana this is why I'm keeping this issue open :-). Custom factory path should be good enough but it requires a bit more thinking how to do it right, I'll try to prioritize on it soon

from smallrye-jwt.

For those looking for the code of how to get an unverified JsonWebToken object from the token string, this code should do the trick:

    public JsonWebToken decodeTokenUnverified(String tokenString) throws InvalidJwtException {
        JwtConsumer consumer = new JwtConsumerBuilder()
                .setSkipAllValidators()
                .setDisableRequireSignature()
                .setSkipSignatureVerification()
                .build();

        JwtClaims claimsSet = consumer.processToClaims(tokenString);
        return new DefaultJWTCallerPrincipal(tokenString, claimsSet);
    }

from smallrye-jwt.

It won't. There currently does not seem to be an option to skip verification (afaik). Just wanted to share this code on how to get a JWT parsed, since I also first had to find a way to do it and thought it might help you, although it doesn't solve your problem.

from smallrye-jwt.

The factory solution should work.

Unfortunately, it seems that Quarkus instantiates the DefaultJWTTokenParser directly, instead of using the factory:
quarkusio/quarkus@08777bb#diff-4dabe1f5911b23eb33fd6188eefe39c2

@sberyozkin what do you think?

from smallrye-jwt.

It now (on master) deals with the injected JWTParser.
Once #194 is merged it will all work

from smallrye-jwt.