RolesAllowedSignEncryptTest.callEchoSignToken TCK test challenge

[Verdent]

Hi, I would like to ask, why is it expected for this test to pass?

This is how I understand it:

1. Public key for signature verification is provided over the createDeployment() method
2. JWT is signed with private key in the test and it is sent to the test endpoint
3. During validation process we extract kid and alg from signed JWT headers
4. There is no public key for verification which would be bound to corresponding kid, so we fall back to the provided public key in the step one.
5. Validation passes and test fails.

What am I getting incorrectly here?

For example test EmptyTokenTest.validToken does exactly the same thing in terms of not having any public key provided to the kid and this time validation is expected to pass.

If we would not fall back to the public key which had not kid assigned, the first mentioned test would pass, but the second would fail.

[sberyozkin]

Hi @Verdent The reason the failure is expected is that the test endpoint expects an inner-signed encrypted token - so the successful verification is not enough - the token has to be decrypted first - however the test sends a signed only token.

See https://download.eclipse.org/microprofile/microprofile-jwt-auth-1.2/microprofile-jwt-auth-spec-1.2.html#_requirements_for_accepting_signed_and_encrypted_tokens

[sberyozkin]

We'll need to discuss the dynamic token verification in more detail for 3.0, hopefully in scope of the multi-tenant support

[Verdent]

@sberyozkin Thank you for clarification. I have completely missed that. :-)

Closing issue