dirien
commented
3 years ago we can confirm this behaviour.
Closed develrulez closed 3 years ago
dirien
commented
3 years ago we can confirm this behaviour.
pmlopes
commented
3 years ago Webauthn supports this. I'll refactor oauth2 to also support it.
develrulez
commented
3 years ago Wonderful, would it also be possible to create a fix for the 3.9.x stream? Because I don't know if the Quarkus people are ready for a major release change of 3.9.x to 4.x in the near future.
pmlopes
commented
3 years ago I can't promise anything on that field as webauthn is a 4.0 feature, it all depends on how hard is to backport.
pmlopes
commented
3 years ago The main branch for 4.0.0 was already supporting chains, I've ensured that the validation is consistent (and performed the same way across all handlers)
pmlopes
commented
3 years ago @dirien I've pushed to the 3.9 branch of vertx-auth a fix to allows certificate chains in JWKs endpoints. Can you run some tests on your side?
develrulez
commented
3 years ago Hi @pmlopes, please excuse the late response. I've missed your hint for the fix. It works perfectly well with the version 3.9.5-SNAPSHOT. Thanks a lot! When can we expect a release of this version and more important an update of vertx-auth in a new Quarkus version?
pmlopes
commented
3 years ago Hi @develrulez releases are managed by @vietj , maybe he may give an estimate on a date
Hi, as stated in https://vertx.io/docs/apidocs/io/vertx/ext/jwt/JWK.html, the certificate chains (x5c) in a JWK only allow a single element chain. Why so? Our company's OIDC compliant server has a certificate chain with all the CAs embedded. But the class io.vertx.ext.jwt.JWK throws an exception in this case...
Couldn't it just pick the first certificate ignoring the others in the chain and try to validate the token against that? Right now we're trying to test io.quarkus:quarkus-oidc:1.6.1.Final which includes io.vertx:vertx-auth-oauth2:3.9.1.