You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by "Cesar Hernandez (JIRA)" <ji...@apache.org> on 2019/08/06 16:29:00 UTC

[jira] [Commented] (TOMEE-2533) Compliance with MicroProfile JWT Auth

    [ https://issues.apache.org/jira/browse/TOMEE-2533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16901238#comment-16901238 ] 

Cesar Hernandez commented on TOMEE-2533:
----------------------------------------

Hi [~jumpingElephant]

I think we should check first if the MP JWT RBACK TCK contains this test.

If the test is not present my suggestion would be to update the MP JWT project with this finding and solve together (MP JWT + TomEE JWT impl) towards a future release version.

If the test is present, then a fix on TomEE JWT impl will need to be done.

> Compliance with MicroProfile JWT Auth
> -------------------------------------
>
>                 Key: TOMEE-2533
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2533
>             Project: TomEE
>          Issue Type: Bug
>          Components: TomEE Core Server
>    Affects Versions: 8.0.0-M2
>            Reporter: Alexander Rettner
>            Priority: Major
>         Attachments: jwt.zip
>
>
> The Specification of MicroProfile JWT RBAC requests that an issuer claim must be present in the token and valid. But TomEE is in the tested version 8.0.0-M2 not compliant with respect to MP.
> The specification says exactly:
> "The {{mp.jwt.verify.issuer}} config property allows for the expected value of the {{iss}} claim to be specified. A MicroProfile JWT implementation must verify the {{iss}} claim of incoming JWTs is present and matches the configured value of {{mp.jwt.verify.issuer}}."
> TomEE, however, accepts any issuer in the token if  it is not specified in its configuration.
> The test environment is the demo (as attached to this issue), which can be created at [https://start.microprofile.io|https://start.microprofile.io/] with MicroProfile Version MP 2.0, Apache TomEE 8.0.0-M2 as the MP-server and JWT Auth from the Examples for specifications, in order to create a request with JWT in its header. With this setup, there is no accepted issuer configured, but any issuer can be defined in the JWTClient-class and the request is still successful.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)