Ayan Farooqui created OFBIZ-12724:
-------------------------------------
Summary: JWT Authentication Error
Key: OFBIZ-12724
URL: https://issues.apache.org/jira/browse/OFBIZ-12724
Project: OFBiz
Issue Type: Bug
Components: framework/webapp
Affects Versions: 17.12.09
Environment: OS - Ubuntu 16.04
DB - MySql
Reporter: Ayan Farooqui
Fix For: Upcoming Branch
I have secured my Solr setup using solr.JWTAuthPlugin. I need to provide the
algorithm name (HS512) and the secret key to verify the payload in solr. The
rest api for my Solr setup will be triggered from OFBiz for which I am
generating a JWT token and validating it.
Using the given key & following methods -
secret key - KeS5mHZGWAD6-5V9qwCE (This is 120 bit key)
public static String createJwt(Delegator delegator, Map<String, String> claims,
String keySalt, int expireTime)
public static Map<String, Object> validateToken(String jwtToken, String key)
https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java
When I use the above generated token and key in Solr I get the
InvalidKeyException which says The secret is only 120 bits, 512 bits is
required by HS512.
I suppose we should get such exception in OFbiz also, when generating a token
using shorter than recommended key size.
As mentioned in jawa-jwt docs
"Ensure the length of the secret is at least 512 bit long" under HMAC512 header
(
https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html
)
But I am using only 120 bit key (KeS5mHZGWAD6-5V9qwCE) in the
validateToken(String jwtToken, String key) method and it is not throwing any
exception for key size.
We should follow the rule and give a 512 bit key by default and provide
validation based on the same rule.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
