You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ja...@apache.org on 2022/03/11 12:11:51 UTC
[solr] branch main updated: SOLR-16090 Better error message when JWT auth SIGNATURE_INVALID during token parsing (#737)
This is an automated email from the ASF dual-hosted git repository.
janhoy pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/main by this push:
new cf27e77 SOLR-16090 Better error message when JWT auth SIGNATURE_INVALID during token parsing (#737)
cf27e77 is described below
commit cf27e77daf3bd425cbd9c1b8ee7607357432a3be
Author: Jan Høydahl <ja...@users.noreply.github.com>
AuthorDate: Fri Mar 11 13:11:43 2022 +0100
SOLR-16090 Better error message when JWT auth SIGNATURE_INVALID during token parsing (#737)
---
solr/CHANGES.txt | 2 ++
.../apache/solr/security/jwt/JWTAuthPlugin.java | 37 ++++++++++++----------
2 files changed, 23 insertions(+), 16 deletions(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 09f5603..8f8f393 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -701,6 +701,8 @@ Bug Fixes
* SOLR-15983: Fix ClassCastException in UpdateLog$LogReplayer.doReplay. (Christine Poerschke, David Smiley)
+* SOLR-16090: Better error message when JWT auth SIGNATURE_INVALID during token parsing (janhoy)
+
================== 8.11.2 ==================
Bug Fixes
diff --git a/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java b/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java
index 83fcb48..0b46806 100644
--- a/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java
+++ b/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java
@@ -405,24 +405,29 @@ public class JWTAuthPlugin extends AuthenticationPlugin
String exceptionMessage =
authResponse.getJwtException() != null ? authResponse.getJwtException().getMessage() : "";
if (AuthCode.SIGNATURE_INVALID.equals(authResponse.getAuthCode())) {
- String issuer = jwtConsumer.processToClaims(header).getIssuer();
- if (issuer != null) {
- Optional<JWTIssuerConfig> issuerConfig =
- issuerConfigs.stream().filter(ic -> issuer.equals(ic.getIss())).findFirst();
- if (issuerConfig.isPresent() && issuerConfig.get().usesHttpsJwk()) {
- log.info(
- "Signature validation failed for issuer {}. Refreshing JWKs from IdP before trying again: {}",
- issuer,
- exceptionMessage);
- for (HttpsJwks httpsJwks : issuerConfig.get().getHttpsJwks()) {
- httpsJwks.refresh();
+ String jwt = parseAuthorizationHeader(header);
+ try {
+ String issuer = jwtConsumer.processToClaims(jwt).getIssuer();
+ if (issuer != null) {
+ Optional<JWTIssuerConfig> issuerConfig =
+ issuerConfigs.stream().filter(ic -> issuer.equals(ic.getIss())).findFirst();
+ if (issuerConfig.isPresent() && issuerConfig.get().usesHttpsJwk()) {
+ log.info(
+ "Signature validation failed for issuer {}. Refreshing JWKs from IdP before trying again: {}",
+ issuer,
+ exceptionMessage);
+ for (HttpsJwks httpsJwks : issuerConfig.get().getHttpsJwks()) {
+ httpsJwks.refresh();
+ }
+ authResponse = authenticate(header); // Retry
+ exceptionMessage =
+ authResponse.getJwtException() != null
+ ? authResponse.getJwtException().getMessage()
+ : "";
}
- authResponse = authenticate(header); // Retry
- exceptionMessage =
- authResponse.getJwtException() != null
- ? authResponse.getJwtException().getMessage()
- : "";
}
+ } catch (InvalidJwtException ex) {
+ /* ignored */
}
}