search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.73k stars 2.67k forks source link

No way to configure `iat` claim as optional in `quarkus-oidc` #34365

Closed Eng-Fouad closed 1 year ago

Eng-Fouad commented 1 year ago

Describe the bug

quarkus-oidc currently enforces iat as mandatory claim and there is no way to make it as optional:

https://github.com/quarkusio/quarkus/blob/e59f6d4a7983fa87ad217d629740813043beecd3/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcProvider.java#L175

When CIBA flow is used with Keycloak, Keycloak will call the endpoint that is specified in --spi-ciba-auth-channel-ciba-http-auth-channel-http-authentication-channel-uri and will pass JWT in Authorization header. This JWT has no iat claim.

%dev.quarkus.keycloak.devservices.start-command=start --storage=chm --http-enabled=true --hostname-strict=false --hostname-strict-https=false --spi-ciba-auth-channel-ciba-http-auth-channel-http-authentication-channel-uri http://host.docker.internal:9999/ciba/callback

I got the following error:

JWT ... rejected due to invalid claims or other invalid content. Additional details: [[3] No Issued At (iat) claim present.]

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

quarkus-bot[bot] commented 1 year ago

/cc @pedroigor (oidc), @sberyozkin (oidc)

sberyozkin commented 1 year ago

@Eng-Fouad iat is a mandatory claim in OIDC. I've noticed you opened a PR to Keycloak, so that should resolve the issue, right ?

Eng-Fouad commented 1 year ago

@Eng-Fouad iat is a mandatory claim in OIDC. I've noticed you opened a PR to Keycloak, so that should resolve the issue, right ?

What about adding custom config that makes the claim as optional? Similar to smallrye.jwt.time-to-live=-1: #17622 Or is it against OIDC specs?

sberyozkin commented 1 year ago

@Eng-Fouad If we were dealing with some legacy providers which can't be fixed any more then it would likely be worth considering - but we are dealing with a very active Keycloak project here, with your fix on the way, so right now it seems reasonable just to get a new version of Keycloak rather than relax OIDC verification - without iat, its optional token age configuration becomes loose.

It is required for ID tokens but not strictly required in any texts for access tokens. We might be able to relax it for access tokens only

Eng-Fouad commented 1 year ago

You are right. I am closing this issue and will wait for Keycloak fix to merged.

sberyozkin commented 1 year ago

@Eng-Fouad Sounds good, we can revisit this issue if necessary, please re-open later if needed

Eng-Fouad commented 1 year ago

@sberyozkin BTW, is there a temp workaround to customize the JWT parser? I can see TokenCustomizer::customizeHeaders in 3.2.0, but that's just for headers. My goal is to bypass iat check.

wesleysalimansdvb commented 7 months ago

Hi @sberyozkin , I would very much appreciate it if the iat claim cloud become optional via config properties. Not everyone uses Keycloak but still uses the oidc dependency to verify the tokens via the public key. As I need multi tenancy I cannot use the Quarkus Smallrye JWT dependency as that does not support multi tenancy (the two different key signing algorithms also differ).

Now my code fails because my JWT doesn't have the iat claim (as i use nbf and exp): rejected due to invalid claims or other invalid content. Additional details: [[3] No Issued At (iat) claim present.]