[jira] [Updated] (TOMEE-2533) Compliance with MicroProfile JWT Auth

Tue, 28 May 2019 13:09:11 -0700 


     [ 
https://issues.apache.org/jira/browse/TOMEE-2533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alexander Rettner updated TOMEE-2533:
-------------------------------------
    Description: 
The Specification of MicroProfile JWT RBAC requests that an issuer claim must 
be present in the token and valid. But TomEE is in the tested version 8.0.0-M2 
not compliant with respect to MP.

The specification says exactly:

"The {{mp.jwt.verify.issuer}} config property allows for the expected value of 
the {{iss}} claim to be specified. A MicroProfile JWT implementation must 
verify the {{iss}} claim of incoming JWTs is present and matches the configured 
value of {{mp.jwt.verify.issuer}}."

TomEE, however, accepts any issuer in the token if  it is not specified in its 
configuration.

 

 

  was:
The Specification of MicroProfile JWT RBAC requests that an issuer claim must 
be present in the token and valid. But TomEE is in the tested version 8.0.0-M2 
not compliant with respect to MP.

The specification says exactly:"The {{mp.jwt.verify.issuer}} config property 
allows for the expected value of the {{iss}} claim to be specified. A 
MicroProfile JWT implementation must verify the {{iss}} claim of incoming JWTs 
is present and matches the configured value of {{mp.jwt.verify.issuer}}."

 


> Compliance with MicroProfile JWT Auth
> -------------------------------------
>
>                 Key: TOMEE-2533
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2533
>             Project: TomEE
>          Issue Type: Bug
>          Components: TomEE Core Server
>    Affects Versions: 8.0.0-M2
>            Reporter: Alexander Rettner
>            Priority: Major
>
> The Specification of MicroProfile JWT RBAC requests that an issuer claim must 
> be present in the token and valid. But TomEE is in the tested version 
> 8.0.0-M2 not compliant with respect to MP.
> The specification says exactly:
> "The {{mp.jwt.verify.issuer}} config property allows for the expected value 
> of the {{iss}} claim to be specified. A MicroProfile JWT implementation must 
> verify the {{iss}} claim of incoming JWTs is present and matches the 
> configured value of {{mp.jwt.verify.issuer}}."
> TomEE, however, accepts any issuer in the token if  it is not specified in 
> its configuration.
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to