JsonWebToken does not seems to be @RequestScoped (race condition)

[Kiiv]

Describe the bug
When trying to inject JsonWebToken via CDI in an @ApplicationScoped bean we sometime get the token of another request.

In the specification we can read :

An MP-JWT implementation must support the injection of the currently authenticated caller as a JsonWebToken with @RequestScoped scoping which must work even if the outer bean is @ApplicationScoped

Maybe I've missed something but DefaultJsonWebTokenImpl is not annotated @RequestScoped so it could be the cause of my problem.

Steps to Reproduce
I'm injecting JsonWebToken object as follow :

@ApplicationScoped
@Path("/mypath")
public class ServerResource implements IServerResource {

  @Inject
  private JsonWebToken callerPrincipal;

  @Override
  @RolesAllowed({ Roles.TEST })
  public String testapi() {
    System.out.println(callerPrincipal.getClaim("uniqueId"));

    return "OK";
  }

}

As you can see, my REST resource is annotated @ApplicationScope. Under heavy load I sometime get the same JsonWebToken for two different requests : same "uniqueId" is printed several times.

Expected behavior
I should get the JsonWebToken linked to my request even if the outer bean is @ApplicationScoped

Diagnostic information:

• OpenLiberty Version: [23.0.0.6]
• Affected feature(s) [mpJWT-1.2]
• Java Version: [openjdk version "17.0.5" 2022-10-18 OpenJDK Runtime Environment (build 17.0.5+8-Ubuntu-2ubuntu120.04) OpenJDK 64-Bit Server VM (build 17.0.5+8-Ubuntu-2ubuntu120.04, mixed mode, sharing)]

• server.xml configuration (WITHOUT sensitive information like passwords)

  <server description="Intro REST Guide Liberty server">
  <featureManager>
      <feature>mpRestClient-2.0</feature>
      <feature>jaxrs-2.1</feature>
      <feature>mpConfig-2.0</feature>
      <feature>cdi-2.0</feature>
      <feature>mpOpenAPI-2.0</feature>
      <feature>jsonb-1.0</feature>
      <feature>jwt-1.0</feature>
      <feature>mpMetrics-3.0</feature>
      <feature>mpJWT-1.2</feature>
  </featureManager>
  
  <keyStore id="defaultKeyStore" location="/xxx/testVault.p12" keyName="testVault" password="xxx" />
  
  <mpJwt id="mp-jwt" issuer="MP-JWT" keyManagementKeyAlgorithm="RSA-OAEP" keyManagementKeyAlias="testVault"></mpJwt>
  
  <jwtConsumer id="myJWTConsumer" trustStoreRef="defaultKeyStore" issuer="MP-JWT" audiences="myAudience"
      trustedAlias="testVault" signatureAlgorithm="RS256" keyManagementKeyAlias="testVault">
  </jwtConsumer>
  
  <jwtBuilder id="myJWTBuilder"  keyStoreRef="defaultKeyStore" 
      keyAlias="testVault" issuer="MP-JWT" expiresInSeconds="10s" contentEncryptionAlgorithm="A256GCM" keyManagementKeyAlgorithm="RSA-OAEP" keyManagementKeyAlias="testVault" trustStoreRef="defaultKeyStore">
  </jwtBuilder>
  
  <httpEndpoint httpPort="${default.http.port}"
      httpsPort="${default.https.port}" id="defaultHttpEndpoint" host="*" />
  
  <webApplication location="poc-jwt.war" contextRoot="${app.context.root}" >
      <application-bnd>
         <security-role name="TEST">
           <group access-id="group:MP-JWT/1" name="1" />
         </security-role>
      </application-bnd>
  </webApplication>
  
  <logging consoleLogLevel="INFO" traceSpecification="*=fine"></logging>
  </server>

[jdmcclur]

@Kiiv - I have tried to reproduce this, but I have been unable to reproduce the problem. Can you share how you are generating the JWTs and applying the load?

[Kiiv]

Shame on me, I've missed something on the client side inducing same token sent multiple times... So sorry for the time lost on this...

Just to understand, DefaultJsonWebTokenImpl not beeing @RequestScope does not implies it will be @Dependent and so its life cycle linked to the @ApplicationScope outer bean ?

[ayoho]

@Kiiv I believe an instance of the com.ibm.ws.security.mp.jwt.principal.PrincipalBean class is actually the bean being injected when doing

@Inject
private JsonWebToken jwt;

That class is annotated like so:

@Alternative
@Priority(100)
@RequestScoped
public class PrincipalBean implements JsonWebToken {

That should ensure the injected JWT is properly scoped to the request.