MeshLocalServer - setAlgorithm does not change the algorithm in JWT class - it still expects a HS256 token

gentics / mesh

Gentics Mesh - The open source headless CMS for developers

https://getmesh.io

Apache License 2.0

570 stars 115 forks source link

MeshLocalServer - setAlgorithm does not change the algorithm in JWT class - it still expects a HS256 token #1120

Open bbelghith opened 4 years ago

bbelghith commented 4 years ago

Gentics Mesh Version, operating system, or hardware.

v1.7.1

Operating System

Windows

JVM

Oracle JDK 8
Open JDK 11

Problem

i have to develop a plugin for gentics mesh using accessToken from keycloak. Those token are issued in RSA26 and the standard algorithm in Gentics mesh is HS256. MeshLocalServer offers a method called setAlgorithm but it is still not accepting my keycloak token. I also cannot simply install the public key from keycloak in the keystore because it is created during time.

So please allow me to change the algorithm on which JWT is decoding and verifying my access token.

Reproducer

Expected behaviour and actual behaviour

Jotschi commented 4 years ago

Support for custom algorithms is currently limited to HS256. It is possible to configure the algorithm but depending on the chosen algo it may be required to modify the core code to support it. Additionally this would only work if the keystore file contains the needed certificates and keys to sign the issued JWT's.

We use the JWTAuth code of Vert.x https://vertx.io/docs/vertx-auth-jwt/js/ which we configure here: https://github.com/gentics/mesh/blob/dev/common/src/main/java/com/gentics/mesh/auth/provider/MeshJWTAuthProvider.java#L83

I suspect that the options JWTAuthOptions lack the needed algo information for JWT. https://vertx.io/docs/apidocs/io/vertx/ext/auth/JWTOptions.html

We would welcome any contribution which includes tests and additional changes to support other algos.

bbelghith commented 4 years ago

I was now able to use Gentics Mesh with RSA256 - so far it does work. HS256 is not sufficient - particularly not for Admin Accounts. secrets are sending in plain text. Keycloak uses per default RSA256 and is also more difficult to use access tokens with two different algorithm.

I would rather remove the vertx library and choose another one. it has a couple of flaws. Setting always the algorithm before you can verify something is one one of it. In addition, Everything is based on key alias which users often use radomly in their keystore. Not very stable. In Addition, even big solutions are using alias inconsistently.

For example Keycloak is using RSA256 as "alg" for which that library is not finding a match - because it uses the alias "RS256".

The project seems to need man power. I am a software architect from Karlsruhe/Germany and can help you to improve the code base if you can allow me to be a contributor.

mephinet commented 3 years ago

Hi @bbelghith, we are happy to have you as a contributor - this is open source software. Once you open your first pull request, you will be automagically asked to sign our CLA. Once it is singed, we're happy to merge your improvements (if they meet our requirements, of course).