This is an automated email from the ASF dual-hosted git repository.
more pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new 8fd966f KNOX-2608 - JWT tokens issues by Knox should have 'kid' and
'jku' as part of JOSE Headers (#451)
8fd966f is described below
commit 8fd966f7fa2872701b79f6d9c48f7f234178b750
Author: Sandeep Moré <[email protected]>
AuthorDate: Mon May 24 22:01:21 2021 -0400
KNOX-2608 - JWT tokens issues by Knox should have 'kid' and 'jku' as part
of JOSE Headers (#451)
* KNOX-2608 - JWT tokens issues by Knox should have 'kid' and 'jku' as part
of JOSE Headers
---
.../services/security/token/impl/JWTToken.java | 22 +++++++++++++++++++++-
.../services/security/token/impl/JWTTokenTest.java | 13 ++++++++++---
2 files changed, 31 insertions(+), 4 deletions(-)
diff --git
a/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/impl/JWTToken.java
b/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/impl/JWTToken.java
index ceee909..2ab990d 100644
---
a/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/impl/JWTToken.java
+++
b/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/impl/JWTToken.java
@@ -16,6 +16,8 @@
*/
package org.apache.knox.gateway.services.security.token.impl;
+import java.net.URI;
+import java.net.URISyntaxException;
import java.text.ParseException;
import java.util.Date;
import java.util.ArrayList;
@@ -66,7 +68,25 @@ public class JWTToken implements JWT {
}
public JWTToken(String alg, String[] claimsArray, List<String> audiences,
boolean managed) {
- JWSHeader header = new JWSHeader(new JWSAlgorithm(alg));
+ JWSHeader header = null;
+ try {
+ header = new JWSHeader(new JWSAlgorithm(alg),
+ null,
+ null,
+ null,
+ claimsArray[5] != null ? new URI(claimsArray[5]) : null, // JKU
+ null,
+ null,
+ null,
+ null,
+ null,
+ claimsArray[4] != null ? claimsArray[4] : null, // KID
+ null,
+ null);
+ } catch (URISyntaxException e) {
+ /* in event of bad URI exception fall back to using just algo in header
*/
+ header = new JWSHeader(new JWSAlgorithm(alg));
+ }
if(claimsArray == null || claimsArray.length < 6) {
log.missingClaims(claimsArray.length);
diff --git
a/gateway-spi/src/test/java/org/apache/knox/gateway/services/security/token/impl/JWTTokenTest.java
b/gateway-spi/src/test/java/org/apache/knox/gateway/services/security/token/impl/JWTTokenTest.java
index 9cb239d..24d3e71 100644
---
a/gateway-spi/src/test/java/org/apache/knox/gateway/services/security/token/impl/JWTTokenTest.java
+++
b/gateway-spi/src/test/java/org/apache/knox/gateway/services/security/token/impl/JWTTokenTest.java
@@ -69,18 +69,25 @@ public class JWTTokenTest {
@Test
public void testTokenCreation() throws Exception {
+ final String KID = "E0LDZulQ0XE_otJ5aoQtQu-RnXv8hU-M9U4dD7vDioA";
+ final String JKU =
"https://localhost:8443/gateway/token/knoxtoken/api/v1/jwks.json";;
+ final String ALGO = "RS256";
String[] claims = new String[6];
claims[0] = "KNOXSSO";
claims[1] = "[email protected]";
claims[2] = "https://login.example.com";;
claims[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
- claims[4] = "E0LDZulQ0XE_otJ5aoQtQu-RnXv8hU-M9U4dD7vDioA";
- claims[5] = null;
- JWT token = new JWTToken("RS256", claims);
+ claims[4] = KID;
+ claims[5] = JKU;
+ JWT token = new JWTToken(ALGO, claims);
assertEquals("KNOXSSO", token.getIssuer());
assertEquals("[email protected]", token.getSubject());
assertEquals("https://login.example.com";, token.getAudience());
+
+ assertTrue("Missing KID claim in JWT header",
token.getHeader().contains(KID));
+ assertTrue("Missing JKU claim in JWT header",
token.getHeader().contains("jwks.json"));
+ assertTrue("Missing ALG claim in JWT header",
token.getHeader().contains(ALGO));
}
@Test
