search

quarkiverse / quarkus-renarde

Server-side Web Framework with Qute templating, magic/easier controllers, auth, reverse-routing
Apache License 2.0
78 stars 19 forks source link

JWT vs JWE with Renarde #77

Closed nderwin closed 1 year ago

nderwin commented 1 year ago

I have an existing Quarkus project that is set up to use a JWT for securing REST endpoints, configured with mp.jwt.verify.publickey and mp.jwt.verify.publickey.algorithm (it integrates with an existing system that is generating the tokens). I would like to add Renarde to the project for generating a UI for it, however, when the quarkus-renarde dependency is added, it causes the existing endpoints to fail authentication:

2022-11-06 14:22:15,949 DEBUG [org.jbo.res.rea.com.cor.AbstractResteasyReactiveContext] (vert.x-eventloop-thread-0) Restarting handler chain for exception exception: io.quarkus.security.AuthenticationFailedException
...
Caused by: io.smallrye.jwt.auth.principal.ParseException: SRJWT07013: Encrypted token sequence is invalid
...
Caused by: org.jose4j.lang.JoseException: A JWE Compact Serialization must have exactly 5 parts separated by period ('.') characters

Is there any way to configure Renarde to use the existing public key for the un-encrypted JWTs, instead of generating key files and expecting encrypted JWTs?

FroMage commented 1 year ago

Do you have any reproducer?

nderwin commented 1 year ago

Do you have any reproducer?

I'll try to create one and attach here.

nderwin commented 1 year ago

Here's a reproducer. Steps to recreate:

  1. ./mvnw clean compile quarkus:dev
  2. curl -i -H 'Authorization: Bearer <token> http://localhost:8080/hello - an example token is in the jwt.txt file in the project root
  3. the response status should be 200 with a body of "Hello from RESTEasy Reactive"
  4. uncomment the 2 renarde dependencies in the pom.xml, and uncomment all of the code in the User and MySecuritySetup classes
  5. re-run step 1 and 2
  6. note that the response status is now 401; debug logging from Quarkus gives the above mentioned error about JWE Compact Serialization

code-with-quarkus.zip

nderwin commented 1 year ago

Might be due to https://github.com/quarkiverse/quarkus-renarde/blob/09c01766e5fe49353b43f1d51b1451ea9cdda27a/deployment/src/main/java/io/quarkiverse/renarde/deployment/RenardeProcessor.java#L190 expecting smallrye.jwt.encrypt.key.location to be set?

nderwin commented 1 year ago

https://github.com/quarkiverse/quarkus-renarde/pull/88 could be a fix, if it doesn't conflict with the project goals.