THALES GROUP LIMITED DISTRIBUTION to email recipients
Hello Zoltan,
My JSON JWT representation is:
Header:
{
"kid": "abc-1234567890",
"alg": "RS384"
}
Payload:
{
"iss": "https://server.example.com";,
"jti": "a-123",
"exp": 2026238400,
"iat": 1679083200,
"sub": "24400320",
"upn": "j...@server.example.com",
"groups": [
"red-group",
"green-group",
"admin-group",
"admin"
]
}
+ signature
In the HTTP Authorization header I have: <Header JSON B64 encoded>.<Payload
JSON B64 encoded>.<signature of [B64 header].[B64 Payload]>
So again, what's wrong ?
Best Regards.
-----Original Message-----
From: Tichov Zoltán <tichov.zol...@falconsoft.hu>
Sent: jeudi 4 avril 2024 12:38
To: users@tomee.apache.org
Subject: Re: JWT issue TomEE 9.1.2 micro-profile flavor
Hi Francois!
You are right, sorry the "alg" value is "RS256".
I generate the token with this code:
public String generateToken(String name) {
long now = System.currentTimeMillis();
try {
KeyPair decodedKeyPair = decodeKeyPair(PRIVATE_KEY, PUBLIC_KEY);
return Jwts.builder()
.subject(name)
.claim(ROLE_CLAIM, List.of("user"))
.issuer("issuer")
.header().add(Map.of("type", "JWT")).and()
.issuedAt(new Date(now))
.expiration(new Date(now + EXPIRATION))
.signWith(decodedKeyPair.getPrivate())
.compact();
} catch (NoSuchAlgorithmException | InvalidKeySpecException ex) {
log.error("Exception at generateToken");
}
return "";
}
I'm using this depencies:
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.12.5</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.12.5</version>
</dependency>
Best regards:
Zoltán
2024. 04. 04. 12:10 keltezéssel, COURTAULT Francois írta:
> THALES GROUP LIMITED DISTRIBUTION to email recipients
>
> Hello again,
>
> I added the typ but it doesn't work.
>
> Normally the alg value should be RS256 or RS384 (my try) and not RSA256 or
> RSA384 according to the spec.
>
> But I will try anyway with RSA384 instead of RS384 but I have some doubts
> that it could work.
> More I have a look at the AlgorithmIdentifiers.java from this library and
> there is no RSA stuff in there.
> Even more the JWT library included in TomEE 9.1.2 is the same than the one I
> use to generate my signed JWT.
>
> The doubt I have is confirmed, I can't compile my source code with this line :
> JsonWebSignature jws = new JsonWebSignature(); ...
> jws.setAlgorithmHeaderValue("RSA256"); or
> jws.setAlgorithmHeaderValue("RSA384");
>
> I am only allowed to do this:
> jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
> // AlgorithmIdentifiers.RSA_USING_SHA256 is RS256
> jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA384);
> // AlgorithmIdentifiers.RSA_USING_SHA384 is RS384
> jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA512);
> // AlgorithmIdentifiers.RSA_USING_SHA512 is RS512
>
> Best Regards.
>
> -----Original Message-----
> From: Tichov Zoltán <tichov.zol...@falconsoft.hu>
> Sent: jeudi 4 avril 2024 11:48
> To: users@tomee.apache.org
> Subject: Re: JWT issue TomEE 9.1.2 micro-profile flavor
>
> Hi Francois!
>
> I think that the "alg" : "RSA256" is more important in the token header than
> the "type".
>
> Best regards:
>
> Zoltán
>
> 2024. 04. 04. 11:42 keltezéssel, COURTAULT Francois írta:
>> THALES GROUP LIMITED DISTRIBUTION to email recipients
>>
>> Hello Zoltan,
>>
>> I don't know why I have written Victor in my previous post ☹
>>
>> Sorry about that.
>>
>> Your point is that typ field is missing in my signed JWT header, right ?
>>
>> I was believing that this one is not mandatory.
>>
>> Looking at microprofile-jwt-auth-spec-2.0.pdf, typ is recommended but
>> not required.
>>
>> Anyway I will try and let you know.
>>
>> Best Regards.
>>
>> *From:*Tichov Zoltán <tichov.zol...@falconsoft.hu>
>> *Sent:* jeudi 4 avril 2024 11:34
>> *To:* users@tomee.apache.org
>> *Subject:* Re: JWT issue TomEE 9.1.2 micro-profile flavor
>>
>> Hi Francois!
>>
>> Try to generate the token with "alg" : "RSA256" and "type" : "JWT".
>>
>> Best regards:
>>
>> Zoltán
>>
>> 2024. 04. 04. 11:18 keltezéssel, COURTAULT Francois írta:
>>
>> THALES GROUP LIMITED DISTRIBUTION to email recipients
>>
>> Hello Victor,
>>
>> I use this library:
>>
>> <dependencies>
>>
>> <dependency>
>>
>> <groupId>org.bitbucket.b_c</groupId>
>>
>> <artifactId>jose4j</artifactId>
>>
>> <version>0.9.6</version>
>>
>> </dependency>
>>
>> </dependencies>
>>
>> to create the JWT.
>>
>> Best Regards.
>>
>> -----Original Message-----
>>
>> From: Tichov Zoltán<tichov.zol...@falconsoft.hu>
>> <mailto:tichov.zol...@falconsoft.hu>
>>
>> Sent: jeudi 4 avril 2024 11:06
>>
>> To:users@tomee.apache.org
>>
>> Subject: Re: JWT issue TomEE 9.1.2 micro-profile flavor
>>
>> Hi Francois!
>>
>> How did you generate the token?
>>
>> Best regards
>>
>> 2024. 04. 04. 10:38 keltezéssel, COURTAULT Francois írta:
>>
>> THALES GROUP LIMITED DISTRIBUTION to email recipients
>>
>> Hello everyone,
>>
>> I built a war with a class which extends Application and
>> annotated
>>
>> with @LoginConfig(authMethod = "MP-JWT") I have created a
>> signed JWT
>>
>> which is OK when I validated it (public key provided) using
>> jwt.io web
>>
>> site
>>
>> I want to test this signed JWT with my war.
>>
>> In this one, under META-INF, I have created a
>>
>> microprofile-config.properties with the following entries
>>
>> mp.jwt.verify.publickey=MIIBojANBgkqhkiG9w0BAQEFAAO... (the
>> same
>>
>> public key that I have used to validate the signed JWT using
>> jwt.io
>>
>> web site) mp.jwt.verify.issuer=https://server.example.com
>>
>> Then I run a curl with -H "Authorization: Bearer
>>
>> eyJraWQiOiJhYmMtMTIzNDU2Nzg5MCIsImFsZyI6IlJTMzg0In0.ey ..." (the
>> same signed JWT I used on jwt.io web site) I got this:
>>
>> * at client side: ...HTTP Status 401 - Unauthorized ...
>> Invalid or not parsable JWT
>>
>> * at server side:
>>
>> 04-Apr-2024 10:14:31.255 WARNING [http-nio-8080-exec-5]
>> org.apache.tomee.microprofile.jwt.MPJWTFilter$ValidateJSonWebToken.parse JWT
>> processing failed. Additional details: [[17] Unable to process JOSE object
>> (cause: org.jose4j.lang.InvalidKeyException: The given key (key is null) is
>> not valid for SHA384withRSA):
>> JsonWebSignature{"kid":"abc-1234567890","alg":"RS384"}->
>> eyJraWQiOiJhYmMtMTIzNDU2Nzg5MCIsImFsZyI6IlJTMzg0In0.ey...
>>
>> What's wrong ?
>>
>> Best Regards.
>>
>>
