Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11109

Elytron token-realm doesn't support unsigned tokens

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.1.0.ER1
    • 7.1.0.DR18
    • Security
    • None

      Verification of JWT tokens with empty signature part fails in Elytron.

      The Elytron token-realm can be configured to not verify JWT token signature.

      /subsystem=elytron/token-realm=JwtRealm:add(jwt={})

      The JWT specification describes tokens without signature in RFC 7519 Section 6.

      When user is comming with such a token the validation in Elytron fails.

      Sample token:

      eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJpc3MiOiJpc3N1ZXIud2lsZGZseS5vcmciLCJzdWIiOiJlbHl0cm9uQHdpbGRmbHkub3JnIiwiZXhwIjoyMDUxMjIyMzk5LCJhdWQiOiJlbHl0cm9uLXRlc3QifQ.

Header:
{
  "alg": "none",
  "typ": "JWT"
}

Payload:
{
  "iss": "issuer.wildfly.org",
  "sub": "elytron@wildfly.org",
  "exp": 2051222399,
  "aud": "elytron-test"
}

      The problem is probably in this piece of code in JwtValidator class:

              String[] parts = jwt.split("\\.");

        if (parts.length < 3) {
            throw log.tokenRealmJwtInvalidFormat();
        }

      Even if the token correctly contains 2 dots, the split returns array of lenght 2 (because the last part is empty). Additional negative-integer argument to the split() method could help here: 

      jwt.split("\\.", -1);

            jkalina@redhat.com Jan Kalina (Inactive)
            josef.cacek@gmail.com Josef Cacek (Inactive)
            Ondrej Kotek Ondrej Kotek
            Ondrej Kotek Ondrej Kotek
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: