Comments (12)
For those looking for the code of how to get an unverified
JsonWebToken
object from the token string, this code should do the trick:public JsonWebToken decodeTokenUnverified(String tokenString) throws InvalidJwtException { JwtConsumer consumer = new JwtConsumerBuilder() .setSkipAllValidators() .setDisableRequireSignature() .setSkipSignatureVerification() .build(); JwtClaims claimsSet = consumer.processToClaims(tokenString); return new DefaultJWTCallerPrincipal(tokenString, claimsSet); }
And how will this inject it into the quarkus-smallrye security context for authorization? (For RolesAllowed purposes)
from smallrye-jwt.
See the documentation, Custom Factories
, how to inject custom factories which will bypass the verification,
https://github.com/smallrye/smallrye-jwt/blob/master/doc/modules/ROOT/pages/configuration.adoc
from smallrye-jwt.
@FreifeldRoyi What I can suggest is to register a custom JWTCallerPrincipalFactory, similarly to the way it is done for the Thorntail Keycloak integration. There you'd just parse the token with Jose4J and use DefaultJWTCallerPrincipal.
Let me know how it goes please
from smallrye-jwt.
@FreifeldRoyi if we update smallrye-jwt
to allow for the unverified tokens then it won't pass any security review, even though it would be done with some configuration, and as in your case, you can be assured enough that it won't be a problem. So I'll close this issue, but I'll wait till you confirm the customization works in principle for you
from smallrye-jwt.
Is there any preference doing that instead of implementing a parser in Jax-rs filter and adding to request context?
from smallrye-jwt.
@FreifeldRoyi No, not really, if all you need is to use MP JWT API, then indeed just convert it into JsonWebToken
and set it as a new (JAX-RS) security context
from smallrye-jwt.
Hello!
There was a whole conversation about this (https://quarkusio.zulipchat.com/#narrow/stream/187030-users/topic/MP-JWT.20validation.20skip). The thing is at some point You do not need to verify the token, but You still want to get the roles out of it and use the quarkus-jwt for authorization purposes.
It makes it hard to use in bigger solutions that have the validation done before it reaches the quarkus application (part of the whole cluster-eco-system).
Would injecting JWTCallerPrincipalFactory make it possible for me to extract the roles from the un-verified token and inject them into the quarkus security principal used for role matching? (I tried it briefly and I could not find a way to inject it). Is there a solution that is not too hacky-slashy in the global view of software development? One that can be reused in all microservices of the eco-system that is not copy paste this solution manually and override the default implementation?
I was wondering if this is going to live, or get discarded. It is quite important for me to know.
from smallrye-jwt.
@omgbanana this is why I'm keeping this issue open :-). Custom factory path should be good enough but it requires a bit more thinking how to do it right, I'll try to prioritize on it soon
from smallrye-jwt.
For those looking for the code of how to get an unverified JsonWebToken
object from the token string, this code should do the trick:
public JsonWebToken decodeTokenUnverified(String tokenString) throws InvalidJwtException {
JwtConsumer consumer = new JwtConsumerBuilder()
.setSkipAllValidators()
.setDisableRequireSignature()
.setSkipSignatureVerification()
.build();
JwtClaims claimsSet = consumer.processToClaims(tokenString);
return new DefaultJWTCallerPrincipal(tokenString, claimsSet);
}
from smallrye-jwt.
It won't. There currently does not seem to be an option to skip verification (afaik). Just wanted to share this code on how to get a JWT parsed, since I also first had to find a way to do it and thought it might help you, although it doesn't solve your problem.
from smallrye-jwt.
The factory solution should work.
Unfortunately, it seems that Quarkus instantiates the DefaultJWTTokenParser
directly, instead of using the factory:
quarkusio/quarkus@08777bb#diff-4dabe1f5911b23eb33fd6188eefe39c2
@sberyozkin what do you think?
from smallrye-jwt.
It now (on master) deals with the injected JWTParser
.
Once #194 is merged it will all work
from smallrye-jwt.
Related Issues (20)
- Validate Jwt build with different keys and algorithms HOT 4
- Add `scope` method to JWT Build API
- Enhance JWT Build API to allow setting a certificate chain
- Add KeyEncryptionAlgorithm "dir" enum value HOT 1
- Typos in two of KeyEncryptionAlgorithm `ECDH-ES+*` enums HOT 1
- How to avoid unexpired JWT replay attack ? HOT 3
- Error while using `smalrye.jwt.sign.key.location` properties with file: scheme HOT 8
- allow multiple signature algorithms HOT 1
- Allow encryption with explicitly requested algorithm HOT 1
- add an extension point to customize evaluation time used in DefaultJWTTokenParser HOT 8
- JWTCallerPrincipalFactory is instantiated each time if not explicitly set HOT 11
- Respect `smallrye.jwt.path.groups` even if the `groups` claim is present in the token HOT 2
- Support JWS `jwk` header in JWT Build API
- Sonar plugin issue HOT 5
- request: smallrye-jwt retries fetching keys if initial request fails HOT 2
- Incorrect Logic Results in Inability to Properly Configure Signature Algorithm HOT 1
- Support EdDSA in KeyUtils.keyFactoryAlgorithm()
- io.smallrye.jwt.build.JwtSignatureException: SRJWT05000: Unsupported signature algorithm: EdDSA
- smallrye.jwt.time-to-live=-1 not disabling iat-check HOT 1
- Support flattened JWS signature
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from smallrye-jwt.