You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2022/12/15 08:29:00 UTC

[jira] [Updated] (OFBIZ-12724) JWT Authentication Error

     [ https://issues.apache.org/jira/browse/OFBIZ-12724?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-12724:
------------------------------------
    Component/s: framework/security

> JWT Authentication Error
> ------------------------
>
>                 Key: OFBIZ-12724
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12724
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework/security, framework/webapp
>    Affects Versions: 17.12.09
>         Environment: OS - Ubuntu 16.04
> DB - MySql
>            Reporter: Ayan Farooqui
>            Assignee: Jacques Le Roux
>            Priority: Trivial
>             Fix For: Upcoming Branch
>
>
> I have secured my Solr setup using solr.JWTAuthPlugin. I need to provide the algorithm name (HS512) and the secret key to verify the payload in solr. The rest api for my Solr setup will be triggered from OFBiz for which I am generating a JWT token and validating it.
> Using the given key & following methods -
> secret key - KeS5mHZGWAD6-5V9qwCE (This is 120 bit key)
> public static String createJwt(Delegator delegator, Map<String, String> claims, String keySalt, int expireTime)
> public static Map<String, Object> validateToken(String jwtToken, String key)
> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java
>  
> When I use the above generated token and key in Solr I get the InvalidKeyException which says The secret is only 120 bits, 512 bits is required by HS512. 
> I suppose we should get such exception in OFbiz also, when generating a token using shorter than recommended key size.
> As mentioned in jawa-jwt docs
> "Ensure the length of the secret is at least 512 bit long" under HMAC512 header ( https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html )
> But I am using only 120 bit key (KeS5mHZGWAD6-5V9qwCE) in the validateToken(String jwtToken, String key) method and it is not throwing any exception for key size.
> We should follow the rule and give a 512 bit key by default and provide validation based on the same rule.  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)