You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2022/11/29 09:49:05 UTC
Re: JWT token authentication error
Hi Ayan, Your message has been (somehow) moderated, else it would not have reached this Mailing List. Please subscribe to the user ML for such
questions and then use your email client. See why here http://ofbiz.apache.org/mailing-lists.html. You will get a better support, people can answer
you on the ML. The wider the audience the better the answers you might get. Also it's more work for moderators who have to accept your messages as
long as you have not subscribed. I'll personally no longer accept them (other moderators still could). Thanks
This said, I moderated your message too late so it was no possible to do it the conventional way. Anyway here we are. I see that you are working with
Hotwax, and nobody from there moderated your email. So maybe the issue is already "fixed" internally?
Else we need more information, like:
Why did you need a JWT token to use Solr? What makes you think that "OFBiz is generating the token with a 120 bit key"? Etc.
HTH
Jacques
Le 21/11/2022 à 10:13, Ayan Farooqui a écrit :
>
> Hello devs,
>
>
> I was doing a POC on JWT authentication in Solr, to implement it I generated a JWT token using OFBiz. When I used the same token and secret key to
> authenticate a request on my local Solr instance, Solr gave an error “A key of the same size as the hash output or larger MUST be used with this
> algorithm”. Upon debugging the issue I found reference to this rule.
>
>
> “A key of the same size as the hash output (for instance, 256 bits for
>
> "HS256") or larger MUST be used with this algorithm. (This
>
> requirement is based onSection 5.3.4 <https://www.rfc-editor.org/rfc/rfc7518#section-5.3.4>(Security Effect of the HMAC
>
> Key) of NIST SP 800-117 [NIST.800-107 <https://www.rfc-editor.org/rfc/rfc7518#ref-NIST.800-107>]”
>
>
> OFBiz is generating the token with a 120 bit key when it should throw an exception for key size while using the HS512 or HS256 algorithm.
>
>
> Reference - https://www.rfc-editor.org/rfc/rfc7518#page-7 <https://www.rfc-editor.org/rfc/rfc7518#page-7>
Re: JWT token authentication error
Posted by Jacques Le Roux <ja...@les7arts.com>.
Thanks Ayan,
I'll handle it.
Jacques
Le 14/12/2022 à 13:46, Ayan Farooqui a écrit :
> Hello Jacques,
>
> I have created a JIRA issue for the same
> https://issues.apache.org/jira/browse/OFBIZ-12724
>
> Please let me know if I need to make any changes
>
> Thanks
>
> Ayan
>
> On Tue, Dec 13, 2022 at 6:21 PM Jacques Le Roux <
> jacques.le.roux@les7arts.com> wrote:
>
>> Hi Ayan,
>>
>> I totally agree about your conclusion. We can go as we agreed and I can do
>> that.
>>
>> Would you take care of creating a Jira? Else I can do it for you.
>>
>> Thanks
>>
>> Jacques
>>
>> Le 13/12/2022 à 08:14, Ayan Farooqui a écrit :
>>> Hello Jacques,
>>>
>>> I have used an online tool (https://mkjwk.org/) to generate this
>> specific
>>> secret key where I specified the size, algorithm and type.
>>> Thank you for providing me with a solution but my specific problem and
>> use
>>> case was solved already, I'm using the key of recommended size. It may
>> have
>>> been unclear in the first mail but please allow me to correct myself, the
>>> mail was sent in the dev list with the intent of suggesting that we
>> should
>>> follow the rule and give a 512 bit key by default and provide validation
>>> based on the same rule.
>>>
>>> "Ensure the length of the secret is at least 512 bit long" under HMAC512
>>> header (Reference
>>> <
>> https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html
>>> )
>>>
>>> Thanks and Regards,
>>> Ayan Farooqui
>>>
>>> On Thu, Dec 8, 2022 at 8:16 PM Jacques Le Roux <
>> jacques.le.roux@les7arts.com>
>>> wrote:
>>>
>>>> Hi Ayan,
>>>>
>>>> Few other questions:
>>>> Are you using a salt when generating the key?
>>>> Then when and how do you measure the KeS5mHZGWAD6-5V9qwCE to say it's a
>>>> 120 bit key?
>>>> Without a salt it seems to be a 160 bit key to me, do I miss something?
>>>>
>>>> To answer you question, I guess we did not care about that by ignorance
>> of
>>>> the rule you mentioned.
>>>>
>>>> A possible solution is in createJwt() to check the size of the key is at
>>>> minimum 512 bits and modify the rest of the code to handle in case of
>>>> reject.
>>>>
>>>> HTH
>>>>
>>>> Jacques
>>>>
>>>> Le 07/12/2022 à 14:50, Ayan Farooqui a écrit :
>>>>> Hello Jacques,
>>>>>
>>>>> This is a randomly generated key (KeS5mHZGWAD6-5V9qwCE)
>>>>> Yes the method I'm using internally calls the method you mentioned
>>>>>
>>>>> public static String createJwt(Delegator delegator, Map<String,
>>>>> String> claims, String keySalt, int expireTime)
>>>>>
>>>>> and yes I am getting the key from properties file (security.token.key)
>>>>> only, where I can replace it with a stronger 512 bit key.
>>>>> But I wanted to point out that OFBiz is not throwing any exception
>>>>> when I am using a key of less than recommended length. My concern
>>>>> being, why does OFBiz allow less secure keys such as 120bits when 512
>>>>> is recommended for that algorithm.
>>>>>
>>>>>
>>>>> On Tue, Dec 6, 2022 at 9:45 PM Jacques Le Roux<
>>>> jacques.le.roux@les7arts.com>
>>>>> wrote:
>>>>>
>>>>>> I had a quick look. Before you create a Jira issue, here are some
>>>>>> questions:
>>>>>>
>>>>>> First, why did you pick the 120 bit secret key KeS5mHZGWAD6-5V9qwCE ?
>>>>>>
>>>>>> Then, as I did no find any "Date expiresAt)" in any code ever in
>> OFBiz:
>>>>>> https://ofbiz.markmail.org/search/?q=Date+expiresAt%29
>>>>>> my question is do you rather use
>>>>>> publicstaticStringcreateJwt(Delegatordelegator, Map<String, String>
>>>>>> claims, StringkeySalt, intexpireTime)
>>>>>>
>>>>>>
>> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java#L299
>>>>>> ?
>>>>>>
>>>>>> That would be strange because you would be then forced to use the OOTB
>>>>>> "security.token.key" (property in security.properties) through one of
>>>> the
>>>>>> JWTManager::getJWTKey
>>>>>> So you could pick what you want as security.token.key and set a 512
>> bit
>>>>>> secret key
>>>>>>
>>>>>> I hope this will help to clarify
>>>>>>
>>>>>> Jacques
>>>>>> PS: BTW totally unrelated, but I found this 2017 article interesting:
>>>>>>
>>>>>>
>> https://auth0.com/blog/brute-forcing-hs256-is-possible-the-importance-of-using-strong-keys-to-sign-jwts/
>>>>>> Le 06/12/2022 à 11:18, Jacques Le Roux a écrit :
>>>>>>> Hi Ayan,
>>>>>>>
>>>>>>> Thanks for your detailed answer, I now understand the issue and will
>>>>>> have a 1st look at it.
>>>>>>> I have created a Jira account for you (ayanfarooqui). Could you
>> please
>>>>>> create a Jira bug issue, you may follow
>>>>>>
>> https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices
>>>>>>> Copying the information below as description would be perfect.
>>>>>>>
>>>>>>> TIA
>>>>>>>
>>>>>>> Jacques
>>>>>>>
>>>>>>>
>>>>>>> Le 29/11/2022 à 13:39, Ayan Farooqui a écrit :
>>>>>>>> Hello Jacques,
>>>>>>>>
>>>>>>>> Thank You for moderating the message.
>>>>>>>> I have secured my Solr setup using solr.JWTAuthPlugin <
>>>>>> https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html>. I
>>>>>> need to provide the
>>>>>>>> algorithm name (HS512) and the secret key to verify the payload in
>>>>>> solr. The rest api for my Solr setup will be triggered from OFBiz for
>>>> which
>>>>>> I am
>>>>>>>> generating a JWT token and validating it. Using the given key &
>>>>>> following methods - secret key - KeS5mHZGWAD6-5V9qwCE (This is 120 bit
>>>> key)
>>>>>>>> public static String createJwt(Delegator delegator, Map<String,
>>>> String>
>>>>>> claims, String keySalt, Date expiresAt)(ofbiz github code
>>>>>>>> <
>> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java
>>>>>>> )
>>>>>>>> public static Map<String, Object> validateToken(String jwtToken,
>>>> String
>>>>>> key) (ofbiz github code
>>>>>>>> <
>> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java
>>>>>> )
>>>>>>>> When I use the above generated token and key in Solr I get the
>>>>>> InvalidKeyException which says The secret is only 120 bits, 512 bits
>> is
>>>>>> required by
>>>>>>>> HS512.
>>>>>>>> I suppose we should get such exception in OFbiz also, when
>> generating
>>>>>> a token using shorter than recommended key size.
>>>>>>>> As mentioned in jawa-jwt docs
>>>>>>>>
>>>>>>>> "Ensure the length of the secret is at least 512 bit long" under
>>>>>> HMAC512 header (Reference
>>>>>>>> <
>> https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html
>>>>>>> )
>>>>>>>> But I am using only 120 bit key (KeS5mHZGWAD6-5V9qwCE) in the
>>>>>> validateToken(String jwtToken, String key) method and it is not
>> throwing
>>>>>> any
>>>>>>>> exception for key size.
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Nov 29, 2022 at 3:20 PM Jacques Le Roux <
>>>>>> jacques.le.roux@les7arts.com> wrote:
>>>>>>>> Hi Ayan, Your message has been (somehow) moderated, else it
>> would
>>>>>> not have reached this Mailing List. Please subscribe to the user ML
>> for
>>>> such
>>>>>>>> questions and then use your email client. See why here
>>>>>> http://ofbiz.apache.org/mailing-lists.html. You will get a better
>>>>>> support, people can
>>>>>>>> answer you on the ML. The wider the audience the better the
>>>> answers
>>>>>> you might get. Also it's more work for moderators who have to accept
>>>> your
>>>>>>>> messages as long as you have not subscribed. I'll personally
>> no
>>>>>> longer accept them (other moderators still could). Thanks
>>>>>>>> This said, I moderated your message too late so it was no
>>>> possible
>>>>>> to do it the conventional way. Anyway here we are. I see that you are
>>>>>> working
>>>>>>>> with Hotwax, and nobody from there moderated your email. So
>> maybe
>>>>>> the issue is already "fixed" internally?
>>>>>>>> Else we need more information, like:
>>>>>>>>
>>>>>>>> Why did you need a JWT token to use Solr? What makes you think
>>>> that
>>>>>> "OFBiz is generating the token with a 120 bit key"? Etc.
>>>>>>>> HTH
>>>>>>>>
>>>>>>>> Jacques
>>>>>>>>
>>>>>>>> Le 21/11/2022 à 10:13, Ayan Farooqui a écrit :
>>>>>>>>> Hello devs,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I was doing a POC on JWT authentication in Solr, to implement
>>>> it I
>>>>>> generated a JWT token using OFBiz. When I used the same token and
>>>> secret key
>>>>>>>>> to authenticate a request on my local Solr instance, Solr
>> gave
>>>> an
>>>>>> error “A key of the same size as the hash output or larger MUST be
>> used
>>>> with
>>>>>>>>> this algorithm”. Upon debugging the issue I found reference
>> to
>>>>>> this rule.
>>>>>>>>> “A key of the same size as the hash output (for instance, 256
>>>> bits
>>>>>> for
>>>>>>>>> "HS256") or larger MUST be used with this algorithm. (This
>>>>>>>>>
>>>>>>>>> requirement is based onSection 5.3.4 <
>>>>>> https://www.rfc-editor.org/rfc/rfc7518#section-5.3.4>(Security Effect
>>>> of
>>>>>> the HMAC
>>>>>>>>> Key) of NIST SP 800-117 [NIST.800-107 <
>>>>>> https://www.rfc-editor.org/rfc/rfc7518#ref-NIST.800-107>]”
>>>>>>>>> OFBiz is generating the token with a 120 bit key when it
>> should
>>>>>> throw an exception for key size while using the HS512 or HS256
>>>> algorithm.
>>>>>>>>> Reference -https://www.rfc-editor.org/rfc/rfc7518#page-7 <
>>>>>> https://www.rfc-editor.org/rfc/rfc7518#page-7>
>>
Re: JWT token authentication error
Posted by Ayan Farooqui <ay...@hotwax.co>.
Hello Jacques,
I have created a JIRA issue for the same
https://issues.apache.org/jira/browse/OFBIZ-12724
Please let me know if I need to make any changes
Thanks
Ayan
On Tue, Dec 13, 2022 at 6:21 PM Jacques Le Roux <
jacques.le.roux@les7arts.com> wrote:
> Hi Ayan,
>
> I totally agree about your conclusion. We can go as we agreed and I can do
> that.
>
> Would you take care of creating a Jira? Else I can do it for you.
>
> Thanks
>
> Jacques
>
> Le 13/12/2022 à 08:14, Ayan Farooqui a écrit :
> > Hello Jacques,
> >
> > I have used an online tool (https://mkjwk.org/) to generate this
> specific
> > secret key where I specified the size, algorithm and type.
> > Thank you for providing me with a solution but my specific problem and
> use
> > case was solved already, I'm using the key of recommended size. It may
> have
> > been unclear in the first mail but please allow me to correct myself, the
> > mail was sent in the dev list with the intent of suggesting that we
> should
> > follow the rule and give a 512 bit key by default and provide validation
> > based on the same rule.
> >
> > "Ensure the length of the secret is at least 512 bit long" under HMAC512
> > header (Reference
> > <
> https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html
> >
> > )
> >
> > Thanks and Regards,
> > Ayan Farooqui
> >
> > On Thu, Dec 8, 2022 at 8:16 PM Jacques Le Roux <
> jacques.le.roux@les7arts.com>
> > wrote:
> >
> >> Hi Ayan,
> >>
> >> Few other questions:
> >> Are you using a salt when generating the key?
> >> Then when and how do you measure the KeS5mHZGWAD6-5V9qwCE to say it's a
> >> 120 bit key?
> >> Without a salt it seems to be a 160 bit key to me, do I miss something?
> >>
> >> To answer you question, I guess we did not care about that by ignorance
> of
> >> the rule you mentioned.
> >>
> >> A possible solution is in createJwt() to check the size of the key is at
> >> minimum 512 bits and modify the rest of the code to handle in case of
> >> reject.
> >>
> >> HTH
> >>
> >> Jacques
> >>
> >> Le 07/12/2022 à 14:50, Ayan Farooqui a écrit :
> >>> Hello Jacques,
> >>>
> >>> This is a randomly generated key (KeS5mHZGWAD6-5V9qwCE)
> >>> Yes the method I'm using internally calls the method you mentioned
> >>>
> >>> public static String createJwt(Delegator delegator, Map<String,
> >>> String> claims, String keySalt, int expireTime)
> >>>
> >>> and yes I am getting the key from properties file (security.token.key)
> >>> only, where I can replace it with a stronger 512 bit key.
> >>> But I wanted to point out that OFBiz is not throwing any exception
> >>> when I am using a key of less than recommended length. My concern
> >>> being, why does OFBiz allow less secure keys such as 120bits when 512
> >>> is recommended for that algorithm.
> >>>
> >>>
> >>> On Tue, Dec 6, 2022 at 9:45 PM Jacques Le Roux<
> >> jacques.le.roux@les7arts.com>
> >>> wrote:
> >>>
> >>>> I had a quick look. Before you create a Jira issue, here are some
> >>>> questions:
> >>>>
> >>>> First, why did you pick the 120 bit secret key KeS5mHZGWAD6-5V9qwCE ?
> >>>>
> >>>> Then, as I did no find any "Date expiresAt)" in any code ever in
> OFBiz:
> >>>> https://ofbiz.markmail.org/search/?q=Date+expiresAt%29
> >>>> my question is do you rather use
> >>>> publicstaticStringcreateJwt(Delegatordelegator, Map<String, String>
> >>>> claims, StringkeySalt, intexpireTime)
> >>>>
> >>>>
> >>
> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java#L299
> >>>> ?
> >>>>
> >>>> That would be strange because you would be then forced to use the OOTB
> >>>> "security.token.key" (property in security.properties) through one of
> >> the
> >>>> JWTManager::getJWTKey
> >>>> So you could pick what you want as security.token.key and set a 512
> bit
> >>>> secret key
> >>>>
> >>>> I hope this will help to clarify
> >>>>
> >>>> Jacques
> >>>> PS: BTW totally unrelated, but I found this 2017 article interesting:
> >>>>
> >>>>
> >>
> https://auth0.com/blog/brute-forcing-hs256-is-possible-the-importance-of-using-strong-keys-to-sign-jwts/
> >>>> Le 06/12/2022 à 11:18, Jacques Le Roux a écrit :
> >>>>> Hi Ayan,
> >>>>>
> >>>>> Thanks for your detailed answer, I now understand the issue and will
> >>>> have a 1st look at it.
> >>>>> I have created a Jira account for you (ayanfarooqui). Could you
> please
> >>>> create a Jira bug issue, you may follow
> >>>>
> >>
> https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices
> >>>>> Copying the information below as description would be perfect.
> >>>>>
> >>>>> TIA
> >>>>>
> >>>>> Jacques
> >>>>>
> >>>>>
> >>>>> Le 29/11/2022 à 13:39, Ayan Farooqui a écrit :
> >>>>>> Hello Jacques,
> >>>>>>
> >>>>>> Thank You for moderating the message.
> >>>>>> I have secured my Solr setup using solr.JWTAuthPlugin <
> >>>> https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html>. I
> >>>> need to provide the
> >>>>>> algorithm name (HS512) and the secret key to verify the payload in
> >>>> solr. The rest api for my Solr setup will be triggered from OFBiz for
> >> which
> >>>> I am
> >>>>>> generating a JWT token and validating it. Using the given key &
> >>>> following methods - secret key - KeS5mHZGWAD6-5V9qwCE (This is 120 bit
> >> key)
> >>>>>> public static String createJwt(Delegator delegator, Map<String,
> >> String>
> >>>> claims, String keySalt, Date expiresAt)(ofbiz github code
> >>>>>> <
> >>
> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java
> >>>>> )
> >>>>>> public static Map<String, Object> validateToken(String jwtToken,
> >> String
> >>>> key) (ofbiz github code
> >>>>>> <
> >>
> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java
> >>>> )
> >>>>>> When I use the above generated token and key in Solr I get the
> >>>> InvalidKeyException which says The secret is only 120 bits, 512 bits
> is
> >>>> required by
> >>>>>> HS512.
> >>>>>> I suppose we should get such exception in OFbiz also, when
> generating
> >>>> a token using shorter than recommended key size.
> >>>>>> As mentioned in jawa-jwt docs
> >>>>>>
> >>>>>> "Ensure the length of the secret is at least 512 bit long" under
> >>>> HMAC512 header (Reference
> >>>>>> <
> >>
> https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html
> >>>>> )
> >>>>>> But I am using only 120 bit key (KeS5mHZGWAD6-5V9qwCE) in the
> >>>> validateToken(String jwtToken, String key) method and it is not
> throwing
> >>>> any
> >>>>>> exception for key size.
> >>>>>>
> >>>>>>
> >>>>>> On Tue, Nov 29, 2022 at 3:20 PM Jacques Le Roux <
> >>>> jacques.le.roux@les7arts.com> wrote:
> >>>>>> Hi Ayan, Your message has been (somehow) moderated, else it
> would
> >>>> not have reached this Mailing List. Please subscribe to the user ML
> for
> >> such
> >>>>>> questions and then use your email client. See why here
> >>>> http://ofbiz.apache.org/mailing-lists.html. You will get a better
> >>>> support, people can
> >>>>>> answer you on the ML. The wider the audience the better the
> >> answers
> >>>> you might get. Also it's more work for moderators who have to accept
> >> your
> >>>>>> messages as long as you have not subscribed. I'll personally
> no
> >>>> longer accept them (other moderators still could). Thanks
> >>>>>> This said, I moderated your message too late so it was no
> >> possible
> >>>> to do it the conventional way. Anyway here we are. I see that you are
> >>>> working
> >>>>>> with Hotwax, and nobody from there moderated your email. So
> maybe
> >>>> the issue is already "fixed" internally?
> >>>>>> Else we need more information, like:
> >>>>>>
> >>>>>> Why did you need a JWT token to use Solr? What makes you think
> >> that
> >>>> "OFBiz is generating the token with a 120 bit key"? Etc.
> >>>>>> HTH
> >>>>>>
> >>>>>> Jacques
> >>>>>>
> >>>>>> Le 21/11/2022 à 10:13, Ayan Farooqui a écrit :
> >>>>>>> Hello devs,
> >>>>>>>
> >>>>>>>
> >>>>>>> I was doing a POC on JWT authentication in Solr, to implement
> >> it I
> >>>> generated a JWT token using OFBiz. When I used the same token and
> >> secret key
> >>>>>>> to authenticate a request on my local Solr instance, Solr
> gave
> >> an
> >>>> error “A key of the same size as the hash output or larger MUST be
> used
> >> with
> >>>>>>> this algorithm”. Upon debugging the issue I found reference
> to
> >>>> this rule.
> >>>>>>> “A key of the same size as the hash output (for instance, 256
> >> bits
> >>>> for
> >>>>>>> "HS256") or larger MUST be used with this algorithm. (This
> >>>>>>>
> >>>>>>> requirement is based onSection 5.3.4 <
> >>>> https://www.rfc-editor.org/rfc/rfc7518#section-5.3.4>(Security Effect
> >> of
> >>>> the HMAC
> >>>>>>> Key) of NIST SP 800-117 [NIST.800-107 <
> >>>> https://www.rfc-editor.org/rfc/rfc7518#ref-NIST.800-107>]”
> >>>>>>> OFBiz is generating the token with a 120 bit key when it
> should
> >>>> throw an exception for key size while using the HS512 or HS256
> >> algorithm.
> >>>>>>> Reference -https://www.rfc-editor.org/rfc/rfc7518#page-7 <
> >>>> https://www.rfc-editor.org/rfc/rfc7518#page-7>
>
>
Re: JWT token authentication error
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Ayan,
I totally agree about your conclusion. We can go as we agreed and I can do that.
Would you take care of creating a Jira? Else I can do it for you.
Thanks
Jacques
Le 13/12/2022 à 08:14, Ayan Farooqui a écrit :
> Hello Jacques,
>
> I have used an online tool (https://mkjwk.org/) to generate this specific
> secret key where I specified the size, algorithm and type.
> Thank you for providing me with a solution but my specific problem and use
> case was solved already, I'm using the key of recommended size. It may have
> been unclear in the first mail but please allow me to correct myself, the
> mail was sent in the dev list with the intent of suggesting that we should
> follow the rule and give a 512 bit key by default and provide validation
> based on the same rule.
>
> "Ensure the length of the secret is at least 512 bit long" under HMAC512
> header (Reference
> <https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html>
> )
>
> Thanks and Regards,
> Ayan Farooqui
>
> On Thu, Dec 8, 2022 at 8:16 PM Jacques Le Roux <ja...@les7arts.com>
> wrote:
>
>> Hi Ayan,
>>
>> Few other questions:
>> Are you using a salt when generating the key?
>> Then when and how do you measure the KeS5mHZGWAD6-5V9qwCE to say it's a
>> 120 bit key?
>> Without a salt it seems to be a 160 bit key to me, do I miss something?
>>
>> To answer you question, I guess we did not care about that by ignorance of
>> the rule you mentioned.
>>
>> A possible solution is in createJwt() to check the size of the key is at
>> minimum 512 bits and modify the rest of the code to handle in case of
>> reject.
>>
>> HTH
>>
>> Jacques
>>
>> Le 07/12/2022 à 14:50, Ayan Farooqui a écrit :
>>> Hello Jacques,
>>>
>>> This is a randomly generated key (KeS5mHZGWAD6-5V9qwCE)
>>> Yes the method I'm using internally calls the method you mentioned
>>>
>>> public static String createJwt(Delegator delegator, Map<String,
>>> String> claims, String keySalt, int expireTime)
>>>
>>> and yes I am getting the key from properties file (security.token.key)
>>> only, where I can replace it with a stronger 512 bit key.
>>> But I wanted to point out that OFBiz is not throwing any exception
>>> when I am using a key of less than recommended length. My concern
>>> being, why does OFBiz allow less secure keys such as 120bits when 512
>>> is recommended for that algorithm.
>>>
>>>
>>> On Tue, Dec 6, 2022 at 9:45 PM Jacques Le Roux<
>> jacques.le.roux@les7arts.com>
>>> wrote:
>>>
>>>> I had a quick look. Before you create a Jira issue, here are some
>>>> questions:
>>>>
>>>> First, why did you pick the 120 bit secret key KeS5mHZGWAD6-5V9qwCE ?
>>>>
>>>> Then, as I did no find any "Date expiresAt)" in any code ever in OFBiz:
>>>> https://ofbiz.markmail.org/search/?q=Date+expiresAt%29
>>>> my question is do you rather use
>>>> publicstaticStringcreateJwt(Delegatordelegator, Map<String, String>
>>>> claims, StringkeySalt, intexpireTime)
>>>>
>>>>
>> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java#L299
>>>> ?
>>>>
>>>> That would be strange because you would be then forced to use the OOTB
>>>> "security.token.key" (property in security.properties) through one of
>> the
>>>> JWTManager::getJWTKey
>>>> So you could pick what you want as security.token.key and set a 512 bit
>>>> secret key
>>>>
>>>> I hope this will help to clarify
>>>>
>>>> Jacques
>>>> PS: BTW totally unrelated, but I found this 2017 article interesting:
>>>>
>>>>
>> https://auth0.com/blog/brute-forcing-hs256-is-possible-the-importance-of-using-strong-keys-to-sign-jwts/
>>>> Le 06/12/2022 à 11:18, Jacques Le Roux a écrit :
>>>>> Hi Ayan,
>>>>>
>>>>> Thanks for your detailed answer, I now understand the issue and will
>>>> have a 1st look at it.
>>>>> I have created a Jira account for you (ayanfarooqui). Could you please
>>>> create a Jira bug issue, you may follow
>>>>
>> https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices
>>>>> Copying the information below as description would be perfect.
>>>>>
>>>>> TIA
>>>>>
>>>>> Jacques
>>>>>
>>>>>
>>>>> Le 29/11/2022 à 13:39, Ayan Farooqui a écrit :
>>>>>> Hello Jacques,
>>>>>>
>>>>>> Thank You for moderating the message.
>>>>>> I have secured my Solr setup using solr.JWTAuthPlugin <
>>>> https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html>. I
>>>> need to provide the
>>>>>> algorithm name (HS512) and the secret key to verify the payload in
>>>> solr. The rest api for my Solr setup will be triggered from OFBiz for
>> which
>>>> I am
>>>>>> generating a JWT token and validating it. Using the given key &
>>>> following methods - secret key - KeS5mHZGWAD6-5V9qwCE (This is 120 bit
>> key)
>>>>>> public static String createJwt(Delegator delegator, Map<String,
>> String>
>>>> claims, String keySalt, Date expiresAt)(ofbiz github code
>>>>>> <
>> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java
>>>>> )
>>>>>> public static Map<String, Object> validateToken(String jwtToken,
>> String
>>>> key) (ofbiz github code
>>>>>> <
>> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java
>>>> )
>>>>>> When I use the above generated token and key in Solr I get the
>>>> InvalidKeyException which says The secret is only 120 bits, 512 bits is
>>>> required by
>>>>>> HS512.
>>>>>> I suppose we should get such exception in OFbiz also, when generating
>>>> a token using shorter than recommended key size.
>>>>>> As mentioned in jawa-jwt docs
>>>>>>
>>>>>> "Ensure the length of the secret is at least 512 bit long" under
>>>> HMAC512 header (Reference
>>>>>> <
>> https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html
>>>>> )
>>>>>> But I am using only 120 bit key (KeS5mHZGWAD6-5V9qwCE) in the
>>>> validateToken(String jwtToken, String key) method and it is not throwing
>>>> any
>>>>>> exception for key size.
>>>>>>
>>>>>>
>>>>>> On Tue, Nov 29, 2022 at 3:20 PM Jacques Le Roux <
>>>> jacques.le.roux@les7arts.com> wrote:
>>>>>> Hi Ayan, Your message has been (somehow) moderated, else it would
>>>> not have reached this Mailing List. Please subscribe to the user ML for
>> such
>>>>>> questions and then use your email client. See why here
>>>> http://ofbiz.apache.org/mailing-lists.html. You will get a better
>>>> support, people can
>>>>>> answer you on the ML. The wider the audience the better the
>> answers
>>>> you might get. Also it's more work for moderators who have to accept
>> your
>>>>>> messages as long as you have not subscribed. I'll personally no
>>>> longer accept them (other moderators still could). Thanks
>>>>>> This said, I moderated your message too late so it was no
>> possible
>>>> to do it the conventional way. Anyway here we are. I see that you are
>>>> working
>>>>>> with Hotwax, and nobody from there moderated your email. So maybe
>>>> the issue is already "fixed" internally?
>>>>>> Else we need more information, like:
>>>>>>
>>>>>> Why did you need a JWT token to use Solr? What makes you think
>> that
>>>> "OFBiz is generating the token with a 120 bit key"? Etc.
>>>>>> HTH
>>>>>>
>>>>>> Jacques
>>>>>>
>>>>>> Le 21/11/2022 à 10:13, Ayan Farooqui a écrit :
>>>>>>> Hello devs,
>>>>>>>
>>>>>>>
>>>>>>> I was doing a POC on JWT authentication in Solr, to implement
>> it I
>>>> generated a JWT token using OFBiz. When I used the same token and
>> secret key
>>>>>>> to authenticate a request on my local Solr instance, Solr gave
>> an
>>>> error “A key of the same size as the hash output or larger MUST be used
>> with
>>>>>>> this algorithm”. Upon debugging the issue I found reference to
>>>> this rule.
>>>>>>> “A key of the same size as the hash output (for instance, 256
>> bits
>>>> for
>>>>>>> "HS256") or larger MUST be used with this algorithm. (This
>>>>>>>
>>>>>>> requirement is based onSection 5.3.4 <
>>>> https://www.rfc-editor.org/rfc/rfc7518#section-5.3.4>(Security Effect
>> of
>>>> the HMAC
>>>>>>> Key) of NIST SP 800-117 [NIST.800-107 <
>>>> https://www.rfc-editor.org/rfc/rfc7518#ref-NIST.800-107>]”
>>>>>>> OFBiz is generating the token with a 120 bit key when it should
>>>> throw an exception for key size while using the HS512 or HS256
>> algorithm.
>>>>>>> Reference -https://www.rfc-editor.org/rfc/rfc7518#page-7 <
>>>> https://www.rfc-editor.org/rfc/rfc7518#page-7>
Re: JWT token authentication error
Posted by Ayan Farooqui <ay...@hotwax.co>.
Hello Jacques,
I have used an online tool (https://mkjwk.org/) to generate this specific
secret key where I specified the size, algorithm and type.
Thank you for providing me with a solution but my specific problem and use
case was solved already, I'm using the key of recommended size. It may have
been unclear in the first mail but please allow me to correct myself, the
mail was sent in the dev list with the intent of suggesting that we should
follow the rule and give a 512 bit key by default and provide validation
based on the same rule.
"Ensure the length of the secret is at least 512 bit long" under HMAC512
header (Reference
<https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html>
)
Thanks and Regards,
Ayan Farooqui
On Thu, Dec 8, 2022 at 8:16 PM Jacques Le Roux <ja...@les7arts.com>
wrote:
> Hi Ayan,
>
> Few other questions:
> Are you using a salt when generating the key?
> Then when and how do you measure the KeS5mHZGWAD6-5V9qwCE to say it's a
> 120 bit key?
> Without a salt it seems to be a 160 bit key to me, do I miss something?
>
> To answer you question, I guess we did not care about that by ignorance of
> the rule you mentioned.
>
> A possible solution is in createJwt() to check the size of the key is at
> minimum 512 bits and modify the rest of the code to handle in case of
> reject.
>
> HTH
>
> Jacques
>
> Le 07/12/2022 à 14:50, Ayan Farooqui a écrit :
> > Hello Jacques,
> >
> > This is a randomly generated key (KeS5mHZGWAD6-5V9qwCE)
> > Yes the method I'm using internally calls the method you mentioned
> >
> > public static String createJwt(Delegator delegator, Map<String,
> > String> claims, String keySalt, int expireTime)
> >
> > and yes I am getting the key from properties file (security.token.key)
> > only, where I can replace it with a stronger 512 bit key.
> > But I wanted to point out that OFBiz is not throwing any exception
> > when I am using a key of less than recommended length. My concern
> > being, why does OFBiz allow less secure keys such as 120bits when 512
> > is recommended for that algorithm.
> >
> >
> > On Tue, Dec 6, 2022 at 9:45 PM Jacques Le Roux<
> jacques.le.roux@les7arts.com>
> > wrote:
> >
> >> I had a quick look. Before you create a Jira issue, here are some
> >> questions:
> >>
> >> First, why did you pick the 120 bit secret key KeS5mHZGWAD6-5V9qwCE ?
> >>
> >> Then, as I did no find any "Date expiresAt)" in any code ever in OFBiz:
> >> https://ofbiz.markmail.org/search/?q=Date+expiresAt%29
> >> my question is do you rather use
> >> publicstaticStringcreateJwt(Delegatordelegator, Map<String, String>
> >> claims, StringkeySalt, intexpireTime)
> >>
> >>
> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java#L299
> >> ?
> >>
> >> That would be strange because you would be then forced to use the OOTB
> >> "security.token.key" (property in security.properties) through one of
> the
> >> JWTManager::getJWTKey
> >> So you could pick what you want as security.token.key and set a 512 bit
> >> secret key
> >>
> >> I hope this will help to clarify
> >>
> >> Jacques
> >> PS: BTW totally unrelated, but I found this 2017 article interesting:
> >>
> >>
> https://auth0.com/blog/brute-forcing-hs256-is-possible-the-importance-of-using-strong-keys-to-sign-jwts/
> >>
> >> Le 06/12/2022 à 11:18, Jacques Le Roux a écrit :
> >>> Hi Ayan,
> >>>
> >>> Thanks for your detailed answer, I now understand the issue and will
> >> have a 1st look at it.
> >>> I have created a Jira account for you (ayanfarooqui). Could you please
> >> create a Jira bug issue, you may follow
> >>
> https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices
> >>> Copying the information below as description would be perfect.
> >>>
> >>> TIA
> >>>
> >>> Jacques
> >>>
> >>>
> >>> Le 29/11/2022 à 13:39, Ayan Farooqui a écrit :
> >>>> Hello Jacques,
> >>>>
> >>>> Thank You for moderating the message.
> >>>> I have secured my Solr setup using solr.JWTAuthPlugin <
> >> https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html>. I
> >> need to provide the
> >>>> algorithm name (HS512) and the secret key to verify the payload in
> >> solr. The rest api for my Solr setup will be triggered from OFBiz for
> which
> >> I am
> >>>> generating a JWT token and validating it. Using the given key &
> >> following methods - secret key - KeS5mHZGWAD6-5V9qwCE (This is 120 bit
> key)
> >>>> public static String createJwt(Delegator delegator, Map<String,
> String>
> >> claims, String keySalt, Date expiresAt)(ofbiz github code
> >>>> <
> >>
> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java
> >>> )
> >>>> public static Map<String, Object> validateToken(String jwtToken,
> String
> >> key) (ofbiz github code
> >>>> <
> >>
> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java
> >
> >> )
> >>>> When I use the above generated token and key in Solr I get the
> >> InvalidKeyException which says The secret is only 120 bits, 512 bits is
> >> required by
> >>>> HS512.
> >>>> I suppose we should get such exception in OFbiz also, when generating
> >> a token using shorter than recommended key size.
> >>>> As mentioned in jawa-jwt docs
> >>>>
> >>>> "Ensure the length of the secret is at least 512 bit long" under
> >> HMAC512 header (Reference
> >>>> <
> >>
> https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html
> >>> )
> >>>> But I am using only 120 bit key (KeS5mHZGWAD6-5V9qwCE) in the
> >> validateToken(String jwtToken, String key) method and it is not throwing
> >> any
> >>>> exception for key size.
> >>>>
> >>>>
> >>>> On Tue, Nov 29, 2022 at 3:20 PM Jacques Le Roux <
> >> jacques.le.roux@les7arts.com> wrote:
> >>>> Hi Ayan, Your message has been (somehow) moderated, else it would
> >> not have reached this Mailing List. Please subscribe to the user ML for
> such
> >>>> questions and then use your email client. See why here
> >> http://ofbiz.apache.org/mailing-lists.html. You will get a better
> >> support, people can
> >>>> answer you on the ML. The wider the audience the better the
> answers
> >> you might get. Also it's more work for moderators who have to accept
> your
> >>>> messages as long as you have not subscribed. I'll personally no
> >> longer accept them (other moderators still could). Thanks
> >>>> This said, I moderated your message too late so it was no
> possible
> >> to do it the conventional way. Anyway here we are. I see that you are
> >> working
> >>>> with Hotwax, and nobody from there moderated your email. So maybe
> >> the issue is already "fixed" internally?
> >>>> Else we need more information, like:
> >>>>
> >>>> Why did you need a JWT token to use Solr? What makes you think
> that
> >> "OFBiz is generating the token with a 120 bit key"? Etc.
> >>>> HTH
> >>>>
> >>>> Jacques
> >>>>
> >>>> Le 21/11/2022 à 10:13, Ayan Farooqui a écrit :
> >>>>> Hello devs,
> >>>>>
> >>>>>
> >>>>> I was doing a POC on JWT authentication in Solr, to implement
> it I
> >> generated a JWT token using OFBiz. When I used the same token and
> secret key
> >>>>> to authenticate a request on my local Solr instance, Solr gave
> an
> >> error “A key of the same size as the hash output or larger MUST be used
> with
> >>>>> this algorithm”. Upon debugging the issue I found reference to
> >> this rule.
> >>>>> “A key of the same size as the hash output (for instance, 256
> bits
> >> for
> >>>>> "HS256") or larger MUST be used with this algorithm. (This
> >>>>>
> >>>>> requirement is based onSection 5.3.4 <
> >> https://www.rfc-editor.org/rfc/rfc7518#section-5.3.4>(Security Effect
> of
> >> the HMAC
> >>>>> Key) of NIST SP 800-117 [NIST.800-107 <
> >> https://www.rfc-editor.org/rfc/rfc7518#ref-NIST.800-107>]”
> >>>>> OFBiz is generating the token with a 120 bit key when it should
> >> throw an exception for key size while using the HS512 or HS256
> algorithm.
> >>>>> Reference -https://www.rfc-editor.org/rfc/rfc7518#page-7 <
> >> https://www.rfc-editor.org/rfc/rfc7518#page-7>
>
Re: JWT token authentication error
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Ayan,
Few other questions:
Are you using a salt when generating the key?
Then when and how do you measure the KeS5mHZGWAD6-5V9qwCE to say it's a 120 bit key?
Without a salt it seems to be a 160 bit key to me, do I miss something?
To answer you question, I guess we did not care about that by ignorance of the rule you mentioned.
A possible solution is in createJwt() to check the size of the key is at minimum 512 bits and modify the rest of the code to handle in case of reject.
HTH
Jacques
Le 07/12/2022 à 14:50, Ayan Farooqui a écrit :
> Hello Jacques,
>
> This is a randomly generated key (KeS5mHZGWAD6-5V9qwCE)
> Yes the method I'm using internally calls the method you mentioned
>
> public static String createJwt(Delegator delegator, Map<String,
> String> claims, String keySalt, int expireTime)
>
> and yes I am getting the key from properties file (security.token.key)
> only, where I can replace it with a stronger 512 bit key.
> But I wanted to point out that OFBiz is not throwing any exception
> when I am using a key of less than recommended length. My concern
> being, why does OFBiz allow less secure keys such as 120bits when 512
> is recommended for that algorithm.
>
>
> On Tue, Dec 6, 2022 at 9:45 PM Jacques Le Roux<ja...@les7arts.com>
> wrote:
>
>> I had a quick look. Before you create a Jira issue, here are some
>> questions:
>>
>> First, why did you pick the 120 bit secret key KeS5mHZGWAD6-5V9qwCE ?
>>
>> Then, as I did no find any "Date expiresAt)" in any code ever in OFBiz:
>> https://ofbiz.markmail.org/search/?q=Date+expiresAt%29
>> my question is do you rather use
>> publicstaticStringcreateJwt(Delegatordelegator, Map<String, String>
>> claims, StringkeySalt, intexpireTime)
>>
>> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java#L299
>> ?
>>
>> That would be strange because you would be then forced to use the OOTB
>> "security.token.key" (property in security.properties) through one of the
>> JWTManager::getJWTKey
>> So you could pick what you want as security.token.key and set a 512 bit
>> secret key
>>
>> I hope this will help to clarify
>>
>> Jacques
>> PS: BTW totally unrelated, but I found this 2017 article interesting:
>>
>> https://auth0.com/blog/brute-forcing-hs256-is-possible-the-importance-of-using-strong-keys-to-sign-jwts/
>>
>> Le 06/12/2022 à 11:18, Jacques Le Roux a écrit :
>>> Hi Ayan,
>>>
>>> Thanks for your detailed answer, I now understand the issue and will
>> have a 1st look at it.
>>> I have created a Jira account for you (ayanfarooqui). Could you please
>> create a Jira bug issue, you may follow
>> https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices
>>> Copying the information below as description would be perfect.
>>>
>>> TIA
>>>
>>> Jacques
>>>
>>>
>>> Le 29/11/2022 à 13:39, Ayan Farooqui a écrit :
>>>> Hello Jacques,
>>>>
>>>> Thank You for moderating the message.
>>>> I have secured my Solr setup using solr.JWTAuthPlugin <
>> https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html>. I
>> need to provide the
>>>> algorithm name (HS512) and the secret key to verify the payload in
>> solr. The rest api for my Solr setup will be triggered from OFBiz for which
>> I am
>>>> generating a JWT token and validating it. Using the given key &
>> following methods - secret key - KeS5mHZGWAD6-5V9qwCE (This is 120 bit key)
>>>> public static String createJwt(Delegator delegator, Map<String, String>
>> claims, String keySalt, Date expiresAt)(ofbiz github code
>>>> <
>> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java
>>> )
>>>> public static Map<String, Object> validateToken(String jwtToken, String
>> key) (ofbiz github code
>>>> <
>> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java>
>> )
>>>> When I use the above generated token and key in Solr I get the
>> InvalidKeyException which says The secret is only 120 bits, 512 bits is
>> required by
>>>> HS512.
>>>> I suppose we should get such exception in OFbiz also, when generating
>> a token using shorter than recommended key size.
>>>> As mentioned in jawa-jwt docs
>>>>
>>>> "Ensure the length of the secret is at least 512 bit long" under
>> HMAC512 header (Reference
>>>> <
>> https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html
>>> )
>>>> But I am using only 120 bit key (KeS5mHZGWAD6-5V9qwCE) in the
>> validateToken(String jwtToken, String key) method and it is not throwing
>> any
>>>> exception for key size.
>>>>
>>>>
>>>> On Tue, Nov 29, 2022 at 3:20 PM Jacques Le Roux <
>> jacques.le.roux@les7arts.com> wrote:
>>>> Hi Ayan, Your message has been (somehow) moderated, else it would
>> not have reached this Mailing List. Please subscribe to the user ML for such
>>>> questions and then use your email client. See why here
>> http://ofbiz.apache.org/mailing-lists.html. You will get a better
>> support, people can
>>>> answer you on the ML. The wider the audience the better the answers
>> you might get. Also it's more work for moderators who have to accept your
>>>> messages as long as you have not subscribed. I'll personally no
>> longer accept them (other moderators still could). Thanks
>>>> This said, I moderated your message too late so it was no possible
>> to do it the conventional way. Anyway here we are. I see that you are
>> working
>>>> with Hotwax, and nobody from there moderated your email. So maybe
>> the issue is already "fixed" internally?
>>>> Else we need more information, like:
>>>>
>>>> Why did you need a JWT token to use Solr? What makes you think that
>> "OFBiz is generating the token with a 120 bit key"? Etc.
>>>> HTH
>>>>
>>>> Jacques
>>>>
>>>> Le 21/11/2022 à 10:13, Ayan Farooqui a écrit :
>>>>> Hello devs,
>>>>>
>>>>>
>>>>> I was doing a POC on JWT authentication in Solr, to implement it I
>> generated a JWT token using OFBiz. When I used the same token and secret key
>>>>> to authenticate a request on my local Solr instance, Solr gave an
>> error “A key of the same size as the hash output or larger MUST be used with
>>>>> this algorithm”. Upon debugging the issue I found reference to
>> this rule.
>>>>> “A key of the same size as the hash output (for instance, 256 bits
>> for
>>>>> "HS256") or larger MUST be used with this algorithm. (This
>>>>>
>>>>> requirement is based onSection 5.3.4 <
>> https://www.rfc-editor.org/rfc/rfc7518#section-5.3.4>(Security Effect of
>> the HMAC
>>>>> Key) of NIST SP 800-117 [NIST.800-107 <
>> https://www.rfc-editor.org/rfc/rfc7518#ref-NIST.800-107>]”
>>>>> OFBiz is generating the token with a 120 bit key when it should
>> throw an exception for key size while using the HS512 or HS256 algorithm.
>>>>> Reference -https://www.rfc-editor.org/rfc/rfc7518#page-7 <
>> https://www.rfc-editor.org/rfc/rfc7518#page-7>
Re: JWT token authentication error
Posted by Ayan Farooqui <ay...@hotwax.co>.
Hello Jacques,
This is a randomly generated key (KeS5mHZGWAD6-5V9qwCE)
Yes the method I'm using internally calls the method you mentioned
public static String createJwt(Delegator delegator, Map<String,
String> claims, String keySalt, int expireTime)
and yes I am getting the key from properties file (security.token.key)
only, where I can replace it with a stronger 512 bit key.
But I wanted to point out that OFBiz is not throwing any exception
when I am using a key of less than recommended length. My concern
being, why does OFBiz allow less secure keys such as 120bits when 512
is recommended for that algorithm.
On Tue, Dec 6, 2022 at 9:45 PM Jacques Le Roux <ja...@les7arts.com>
wrote:
> I had a quick look. Before you create a Jira issue, here are some
> questions:
>
> First, why did you pick the 120 bit secret key KeS5mHZGWAD6-5V9qwCE ?
>
> Then, as I did no find any "Date expiresAt)" in any code ever in OFBiz:
> https://ofbiz.markmail.org/search/?q=Date+expiresAt%29
> my question is do you rather use
> publicstaticStringcreateJwt(Delegatordelegator, Map<String, String>
> claims, StringkeySalt, intexpireTime)
>
> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java#L299
> ?
>
> That would be strange because you would be then forced to use the OOTB
> "security.token.key" (property in security.properties) through one of the
> JWTManager::getJWTKey
> So you could pick what you want as security.token.key and set a 512 bit
> secret key
>
> I hope this will help to clarify
>
> Jacques
> PS: BTW totally unrelated, but I found this 2017 article interesting:
>
> https://auth0.com/blog/brute-forcing-hs256-is-possible-the-importance-of-using-strong-keys-to-sign-jwts/
>
> Le 06/12/2022 à 11:18, Jacques Le Roux a écrit :
> > Hi Ayan,
> >
> > Thanks for your detailed answer, I now understand the issue and will
> have a 1st look at it.
> >
> > I have created a Jira account for you (ayanfarooqui). Could you please
> create a Jira bug issue, you may follow
> >
> https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices
> >
> > Copying the information below as description would be perfect.
> >
> > TIA
> >
> > Jacques
> >
> >
> > Le 29/11/2022 à 13:39, Ayan Farooqui a écrit :
> >> Hello Jacques,
> >>
> >> Thank You for moderating the message.
> >> I have secured my Solr setup using solr.JWTAuthPlugin <
> https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html>. I
> need to provide the
> >> algorithm name (HS512) and the secret key to verify the payload in
> solr. The rest api for my Solr setup will be triggered from OFBiz for which
> I am
> >> generating a JWT token and validating it. Using the given key &
> following methods - secret key - KeS5mHZGWAD6-5V9qwCE (This is 120 bit key)
> >> public static String createJwt(Delegator delegator, Map<String, String>
> claims, String keySalt, Date expiresAt)(ofbiz github code
> >> <
> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java
> >)
> >> public static Map<String, Object> validateToken(String jwtToken, String
> key) (ofbiz github code
> >> <
> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java>
> )
> >>
> >> When I use the above generated token and key in Solr I get the
> InvalidKeyException which says The secret is only 120 bits, 512 bits is
> required by
> >> HS512.
> >> I suppose we should get such exception in OFbiz also, when generating
> a token using shorter than recommended key size.
> >>
> >> As mentioned in jawa-jwt docs
> >>
> >> "Ensure the length of the secret is at least 512 bit long" under
> HMAC512 header (Reference
> >> <
> https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html
> >)
> >>
> >> But I am using only 120 bit key (KeS5mHZGWAD6-5V9qwCE) in the
> validateToken(String jwtToken, String key) method and it is not throwing
> any
> >> exception for key size.
> >>
> >>
> >> On Tue, Nov 29, 2022 at 3:20 PM Jacques Le Roux <
> jacques.le.roux@les7arts.com> wrote:
> >>
> >> Hi Ayan, Your message has been (somehow) moderated, else it would
> not have reached this Mailing List. Please subscribe to the user ML for such
> >> questions and then use your email client. See why here
> http://ofbiz.apache.org/mailing-lists.html. You will get a better
> support, people can
> >> answer you on the ML. The wider the audience the better the answers
> you might get. Also it's more work for moderators who have to accept your
> >> messages as long as you have not subscribed. I'll personally no
> longer accept them (other moderators still could). Thanks
> >>
> >>
> >> This said, I moderated your message too late so it was no possible
> to do it the conventional way. Anyway here we are. I see that you are
> working
> >> with Hotwax, and nobody from there moderated your email. So maybe
> the issue is already "fixed" internally?
> >>
> >> Else we need more information, like:
> >>
> >> Why did you need a JWT token to use Solr? What makes you think that
> "OFBiz is generating the token with a 120 bit key"? Etc.
> >>
> >> HTH
> >>
> >> Jacques
> >>
> >> Le 21/11/2022 à 10:13, Ayan Farooqui a écrit :
> >>>
> >>> Hello devs,
> >>>
> >>>
> >>> I was doing a POC on JWT authentication in Solr, to implement it I
> generated a JWT token using OFBiz. When I used the same token and secret key
> >>> to authenticate a request on my local Solr instance, Solr gave an
> error “A key of the same size as the hash output or larger MUST be used with
> >>> this algorithm”. Upon debugging the issue I found reference to
> this rule.
> >>>
> >>>
> >>> “A key of the same size as the hash output (for instance, 256 bits
> for
> >>>
> >>> "HS256") or larger MUST be used with this algorithm. (This
> >>>
> >>> requirement is based onSection 5.3.4 <
> https://www.rfc-editor.org/rfc/rfc7518#section-5.3.4>(Security Effect of
> the HMAC
> >>>
> >>> Key) of NIST SP 800-117 [NIST.800-107 <
> https://www.rfc-editor.org/rfc/rfc7518#ref-NIST.800-107>]”
> >>>
> >>>
> >>> OFBiz is generating the token with a 120 bit key when it should
> throw an exception for key size while using the HS512 or HS256 algorithm.
> >>>
> >>>
> >>> Reference - https://www.rfc-editor.org/rfc/rfc7518#page-7 <
> https://www.rfc-editor.org/rfc/rfc7518#page-7>
> >>
Re: JWT token authentication error
Posted by Jacques Le Roux <ja...@les7arts.com>.
I had a quick look. Before you create a Jira issue, here are some questions:
First, why did you pick the 120 bit secret key KeS5mHZGWAD6-5V9qwCE ?
Then, as I did no find any "Date expiresAt)" in any code ever in OFBiz: https://ofbiz.markmail.org/search/?q=Date+expiresAt%29
my question is do you rather use
publicstaticStringcreateJwt(Delegatordelegator, Map<String, String> claims, StringkeySalt, intexpireTime)
https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java#L299
?
That would be strange because you would be then forced to use the OOTB "security.token.key" (property in security.properties) through one of the
JWTManager::getJWTKey
So you could pick what you want as security.token.key and set a 512 bit secret key
I hope this will help to clarify
Jacques
PS: BTW totally unrelated, but I found this 2017 article interesting:
https://auth0.com/blog/brute-forcing-hs256-is-possible-the-importance-of-using-strong-keys-to-sign-jwts/
Le 06/12/2022 à 11:18, Jacques Le Roux a écrit :
> Hi Ayan,
>
> Thanks for your detailed answer, I now understand the issue and will have a 1st look at it.
>
> I have created a Jira account for you (ayanfarooqui). Could you please create a Jira bug issue, you may follow
> https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices
>
> Copying the information below as description would be perfect.
>
> TIA
>
> Jacques
>
>
> Le 29/11/2022 à 13:39, Ayan Farooqui a écrit :
>> Hello Jacques,
>>
>> Thank You for moderating the message.
>> I have secured my Solr setup using solr.JWTAuthPlugin <https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html>. I need to provide the
>> algorithm name (HS512) and the secret key to verify the payload in solr. The rest api for my Solr setup will be triggered from OFBiz for which I am
>> generating a JWT token and validating it. Using the given key & following methods - secret key - KeS5mHZGWAD6-5V9qwCE (This is 120 bit key)
>> public static String createJwt(Delegator delegator, Map<String, String> claims, String keySalt, Date expiresAt)(ofbiz github code
>> <https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java>)
>> public static Map<String, Object> validateToken(String jwtToken, String key) (ofbiz github code
>> <https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java> )
>>
>> When I use the above generated token and key in Solr I get the InvalidKeyException which says The secret is only 120 bits, 512 bits is required by
>> HS512.
>> I suppose we should get such exception in OFbiz also, when generating a token using shorter than recommended key size.
>>
>> As mentioned in jawa-jwt docs
>>
>> "Ensure the length of the secret is at least 512 bit long" under HMAC512 header (Reference
>> <https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html>)
>>
>> But I am using only 120 bit key (KeS5mHZGWAD6-5V9qwCE) in the validateToken(String jwtToken, String key) method and it is not throwing any
>> exception for key size.
>>
>>
>> On Tue, Nov 29, 2022 at 3:20 PM Jacques Le Roux <ja...@les7arts.com> wrote:
>>
>> Hi Ayan, Your message has been (somehow) moderated, else it would not have reached this Mailing List. Please subscribe to the user ML for such
>> questions and then use your email client. See why here http://ofbiz.apache.org/mailing-lists.html. You will get a better support, people can
>> answer you on the ML. The wider the audience the better the answers you might get. Also it's more work for moderators who have to accept your
>> messages as long as you have not subscribed. I'll personally no longer accept them (other moderators still could). Thanks
>>
>>
>> This said, I moderated your message too late so it was no possible to do it the conventional way. Anyway here we are. I see that you are working
>> with Hotwax, and nobody from there moderated your email. So maybe the issue is already "fixed" internally?
>>
>> Else we need more information, like:
>>
>> Why did you need a JWT token to use Solr? What makes you think that "OFBiz is generating the token with a 120 bit key"? Etc.
>>
>> HTH
>>
>> Jacques
>>
>> Le 21/11/2022 à 10:13, Ayan Farooqui a écrit :
>>>
>>> Hello devs,
>>>
>>>
>>> I was doing a POC on JWT authentication in Solr, to implement it I generated a JWT token using OFBiz. When I used the same token and secret key
>>> to authenticate a request on my local Solr instance, Solr gave an error “A key of the same size as the hash output or larger MUST be used with
>>> this algorithm”. Upon debugging the issue I found reference to this rule.
>>>
>>>
>>> “A key of the same size as the hash output (for instance, 256 bits for
>>>
>>> "HS256") or larger MUST be used with this algorithm. (This
>>>
>>> requirement is based onSection 5.3.4 <https://www.rfc-editor.org/rfc/rfc7518#section-5.3.4>(Security Effect of the HMAC
>>>
>>> Key) of NIST SP 800-117 [NIST.800-107 <https://www.rfc-editor.org/rfc/rfc7518#ref-NIST.800-107>]”
>>>
>>>
>>> OFBiz is generating the token with a 120 bit key when it should throw an exception for key size while using the HS512 or HS256 algorithm.
>>>
>>>
>>> Reference - https://www.rfc-editor.org/rfc/rfc7518#page-7 <https://www.rfc-editor.org/rfc/rfc7518#page-7>
>>
Re: JWT token authentication error
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Ayan,
Thanks for your detailed answer, I now understand the issue and will have a 1st look at it.
I have created a Jira account for you (ayanfarooqui). Could you please create a Jira bug issue, you may follow
https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices
Copying the information below as description would be perfect.
TIA
Jacques
Le 29/11/2022 à 13:39, Ayan Farooqui a écrit :
> Hello Jacques,
>
> Thank You for moderating the message.
> I have secured my Solr setup using solr.JWTAuthPlugin <https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html>. I need to provide the
> algorithm name (HS512) and the secret key to verify the payload in solr. The rest api for my Solr setup will be triggered from OFBiz for which I am
> generating a JWT token and validating it. Using the given key & following methods - secret key - KeS5mHZGWAD6-5V9qwCE (This is 120 bit key)
> public static String createJwt(Delegator delegator, Map<String, String> claims, String keySalt, Date expiresAt)(ofbiz github code
> <https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java>)
> public static Map<String, Object> validateToken(String jwtToken, String key) (ofbiz github code
> <https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java> )
>
> When I use the above generated token and key in Solr I get the InvalidKeyException which says The secret is only 120 bits, 512 bits is required by
> HS512.
> I suppose we should get such exception in OFbiz also, when generating a token using shorter than recommended key size.
>
> As mentioned in jawa-jwt docs
>
> "Ensure the length of the secret is at least 512 bit long" under HMAC512 header (Reference
> <https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html>)
>
> But I am using only 120 bit key (KeS5mHZGWAD6-5V9qwCE) in the validateToken(String jwtToken, String key) method and it is not throwing any
> exception for key size.
>
>
> On Tue, Nov 29, 2022 at 3:20 PM Jacques Le Roux <ja...@les7arts.com> wrote:
>
> Hi Ayan, Your message has been (somehow) moderated, else it would not have reached this Mailing List. Please subscribe to the user ML for such
> questions and then use your email client. See why here http://ofbiz.apache.org/mailing-lists.html. You will get a better support, people can
> answer you on the ML. The wider the audience the better the answers you might get. Also it's more work for moderators who have to accept your
> messages as long as you have not subscribed. I'll personally no longer accept them (other moderators still could). Thanks
>
>
> This said, I moderated your message too late so it was no possible to do it the conventional way. Anyway here we are. I see that you are working
> with Hotwax, and nobody from there moderated your email. So maybe the issue is already "fixed" internally?
>
> Else we need more information, like:
>
> Why did you need a JWT token to use Solr? What makes you think that "OFBiz is generating the token with a 120 bit key"? Etc.
>
> HTH
>
> Jacques
>
> Le 21/11/2022 à 10:13, Ayan Farooqui a écrit :
>>
>> Hello devs,
>>
>>
>> I was doing a POC on JWT authentication in Solr, to implement it I generated a JWT token using OFBiz. When I used the same token and secret key
>> to authenticate a request on my local Solr instance, Solr gave an error “A key of the same size as the hash output or larger MUST be used with
>> this algorithm”. Upon debugging the issue I found reference to this rule.
>>
>>
>> “A key of the same size as the hash output (for instance, 256 bits for
>>
>> "HS256") or larger MUST be used with this algorithm. (This
>>
>> requirement is based onSection 5.3.4 <https://www.rfc-editor.org/rfc/rfc7518#section-5.3.4>(Security Effect of the HMAC
>>
>> Key) of NIST SP 800-117 [NIST.800-107 <https://www.rfc-editor.org/rfc/rfc7518#ref-NIST.800-107>]”
>>
>>
>> OFBiz is generating the token with a 120 bit key when it should throw an exception for key size while using the HS512 or HS256 algorithm.
>>
>>
>> Reference - https://www.rfc-editor.org/rfc/rfc7518#page-7 <https://www.rfc-editor.org/rfc/rfc7518#page-7>
>
Re: JWT token authentication error
Posted by Ayan Farooqui <ay...@hotwax.co>.
Hello Jacques,
Thank You for moderating the message.
I have secured my Solr setup using solr.JWTAuthPlugin
<https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html>. I need
to provide the algorithm name (HS512) and the secret key to verify the
payload in solr. The rest api for my Solr setup will be triggered from
OFBiz for which I am generating a JWT token and validating it. Using the
given key & following methods -
secret key - KeS5mHZGWAD6-5V9qwCE (This is 120 bit key)
public static String createJwt(Delegator delegator, Map<String, String>
claims, String keySalt, Date expiresAt)(ofbiz github code
<https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java>
)
public static Map<String, Object> validateToken(String jwtToken, String
key) (ofbiz github code
<https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java>
)
When I use the above generated token and key in Solr I get the
InvalidKeyException which says The secret is only 120 bits, 512 bits is
required by HS512.
I suppose we should get such exception in OFbiz also, when generating a
token using shorter than recommended key size.
As mentioned in jawa-jwt docs
"Ensure the length of the secret is at least 512 bit long" under HMAC512
header (Reference
<https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html>
)
But I am using only 120 bit key (KeS5mHZGWAD6-5V9qwCE) in the
validateToken(String jwtToken, String key) method and it is not throwing
any exception for key size.
On Tue, Nov 29, 2022 at 3:20 PM Jacques Le Roux <
jacques.le.roux@les7arts.com> wrote:
> Hi Ayan, Your message has been (somehow) moderated, else it would not
> have reached this Mailing List. Please subscribe to the user ML for such
> questions and then use your email client. See why here
> http://ofbiz.apache.org/mailing-lists.html. You will get a better
> support, people can answer you on the ML. The wider the audience the better
> the answers you might get. Also it's more work for moderators who have to
> accept your messages as long as you have not subscribed. I'll personally no
> longer accept them (other moderators still could). Thanks
>
>
> This said, I moderated your message too late so it was no possible to do
> it the conventional way. Anyway here we are. I see that you are working
> with Hotwax, and nobody from there moderated your email. So maybe the issue
> is already "fixed" internally?
>
> Else we need more information, like:
>
> Why did you need a JWT token to use Solr? What makes you think that "OFBiz
> is generating the token with a 120 bit key"? Etc.
>
> HTH
>
> Jacques
>
> Le 21/11/2022 à 10:13, Ayan Farooqui a écrit :
>
> Hello devs,
>
> I was doing a POC on JWT authentication in Solr, to implement it I
> generated a JWT token using OFBiz. When I used the same token and secret
> key to authenticate a request on my local Solr instance, Solr gave an error
> “A key of the same size as the hash output or larger MUST be used with
> this algorithm”. Upon debugging the issue I found reference to this rule.
>
> “A key of the same size as the hash output (for instance, 256 bits for
>
> "HS256") or larger MUST be used with this algorithm. (This
>
> requirement is based on Section 5.3.4
> <https://www.rfc-editor.org/rfc/rfc7518#section-5.3.4> (Security Effect
> of the HMAC
>
> Key) of NIST SP 800-117 [NIST.800-107
> <https://www.rfc-editor.org/rfc/rfc7518#ref-NIST.800-107>]”
>
> OFBiz is generating the token with a 120 bit key when it should throw an
> exception for key size while using the HS512 or HS256 algorithm.
>
> Reference - https://www.rfc-editor.org/rfc/rfc7518#page-7
>
>