[
https://issues.apache.org/jira/browse/TOMEE-2533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexander Rettner updated TOMEE-2533:
-------------------------------------
Attachment: jwt.zip
> Compliance with MicroProfile JWT Auth
> -------------------------------------
>
> Key: TOMEE-2533
> URL: https://issues.apache.org/jira/browse/TOMEE-2533
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
> Affects Versions: 8.0.0-M2
> Reporter: Alexander Rettner
> Priority: Major
> Attachments: jwt.zip
>
>
> The Specification of MicroProfile JWT RBAC requests that an issuer claim must
> be present in the token and valid. But TomEE is in the tested version
> 8.0.0-M2 not compliant with respect to MP.
> The specification says exactly:
> "The {{mp.jwt.verify.issuer}} config property allows for the expected value
> of the {{iss}} claim to be specified. A MicroProfile JWT implementation must
> verify the {{iss}} claim of incoming JWTs is present and matches the
> configured value of {{mp.jwt.verify.issuer}}."
> TomEE, however, accepts any issuer in the token if it is not specified in
> its configuration.
> The test environment is the demo, which can be created at
> [https://start.microprofile.io|https://start.microprofile.io/] with
> MicroProfile Version MP 2.0, Apache TomEE 8.0.0-M2 as the MP-server and JWT
> Auth from the Examples for specifications, in order to create a request with
> JWT in its header. With this setup, there is no accepted issuer configured,
> but any issuer can be defined in the JWTClient-class and the request is still
> successful.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
