search

OpenLiberty / open-liberty

Open Liberty is a highly composable, fast to start, dynamic application server runtime environment
https://openliberty.io
Eclipse Public License 2.0
1.15k stars 592 forks source link

SEC-25 - JWT Interoperability between Spring & MicroProfile #9004

Open atosak opened 5 years ago

atosak commented 5 years ago

We discovered that JWTs created by Spring apps won't work with microservices secured with MP JWT. MP and Liberty appear to have a strict(er) interpretation of the specifications compared to Spring.

For polyglot cloud-native environments, this is a significant issue since the underlying framework of choice affects how the services can talk to each other and in this case, limit users to exclusively either Spring or MicroProfile.

This needs to be addressed too if Liberty shall support both Spring and MicroProfile as first class citizens.

We found these as we built a MP-based impl of BlueCompute that was originally done with Spring: https://github.com/ibm-cloud-architecture/refarch-cloudnative-micro-inventory/

Examples of issues encountered:

CWWKS1737E: The OpenID Connect client [bluecomputeweb] failed to validate the JSON Web Token. The cause of the error was: [JWT (claims->{"exp":1518598320,"user_name":"user","authorities":["ROLE_USER"],"jti":"878ccb97-4f2d-4038-b25f-067bc870acf3","client_id":"bluecomputeweb","scope":["blue"]}) rejected due to invalid claims. Additional details: [No Subject (sub) claim is present.]]

[INFO] [ERROR ] CWWKS1743E: The token validation failed. Another JSON Web Token (JWT) with the same 'iss':[null] and 'jti':[5dbaa7df-748a-4ba8-aa0c-fe097665fe28] has already been received.

atosak commented 5 years ago

Comment from YK: An Auth service implemented with Spring Security generated tokens that could not be validated by Liberty. We tried securing the REST endpoints on Liberty with oidcClient and jwt as well as mpJwt and both failed IIRC.

So, we then had to reimplement the Auth service as an OIDC provider to make it work with REST endpoints secured with mpJwt.

atosak commented 5 years ago

Comment from YK: The other issue that we had was that Spring supports HS256. While this isn't very strong or recommended, it was easy for users or developers to get going. At least, to try things out. Liberty didn't (and perhaps not yet still) support it for mpJwt so that added to the trouble to get things going.

atosak commented 5 years ago

https://github.com/OpenLiberty/open-liberty/issues/6038