[
https://issues.apache.org/jira/browse/TOMEE-2533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexander Rettner updated TOMEE-2533:
-------------------------------------
Description:
The Specification of MicroProfile JWT RBAC requests that an issuer claim must
be present in the token and valid. But TomEE is in the tested version 8.0.0-M2
not compliant with respect to MP.
The specification says exactly:
"The {{mp.jwt.verify.issuer}} config property allows for the expected value of
the {{iss}} claim to be specified. A MicroProfile JWT implementation must
verify the {{iss}} claim of incoming JWTs is present and matches the configured
value of {{mp.jwt.verify.issuer}}."
TomEE, however, accepts any issuer in the token if it is not specified in its
configuration.
The test environment is the demo (as attached to this issue), which can be
created at [https://start.microprofile.io|https://start.microprofile.io/] with
MicroProfile Version MP 2.0, Apache TomEE 8.0.0-M2 as the MP-server and JWT
Auth from the Examples for specifications, in order to create a request with
JWT in its header. With this setup, there is no accepted issuer configured, but
any issuer can be defined in the JWTClient-class and the request is still
successful.
was:
The Specification of MicroProfile JWT RBAC requests that an issuer claim must
be present in the token and valid. But TomEE is in the tested version 8.0.0-M2
not compliant with respect to MP.
The specification says exactly:
"The {{mp.jwt.verify.issuer}} config property allows for the expected value of
the {{iss}} claim to be specified. A MicroProfile JWT implementation must
verify the {{iss}} claim of incoming JWTs is present and matches the configured
value of {{mp.jwt.verify.issuer}}."
TomEE, however, accepts any issuer in the token if it is not specified in its
configuration.
The test environment is the demo, which can be created at
[https://start.microprofile.io|https://start.microprofile.io/] with
MicroProfile Version MP 2.0, Apache TomEE 8.0.0-M2 as the MP-server and JWT
Auth from the Examples for specifications, in order to create a request with
JWT in its header. With this setup, there is no accepted issuer configured, but
any issuer can be defined in the JWTClient-class and the request is still
successful.
> Compliance with MicroProfile JWT Auth
> -------------------------------------
>
> Key: TOMEE-2533
> URL: https://issues.apache.org/jira/browse/TOMEE-2533
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
> Affects Versions: 8.0.0-M2
> Reporter: Alexander Rettner
> Priority: Major
> Attachments: jwt.zip
>
>
> The Specification of MicroProfile JWT RBAC requests that an issuer claim must
> be present in the token and valid. But TomEE is in the tested version
> 8.0.0-M2 not compliant with respect to MP.
> The specification says exactly:
> "The {{mp.jwt.verify.issuer}} config property allows for the expected value
> of the {{iss}} claim to be specified. A MicroProfile JWT implementation must
> verify the {{iss}} claim of incoming JWTs is present and matches the
> configured value of {{mp.jwt.verify.issuer}}."
> TomEE, however, accepts any issuer in the token if it is not specified in
> its configuration.
> The test environment is the demo (as attached to this issue), which can be
> created at [https://start.microprofile.io|https://start.microprofile.io/]
> with MicroProfile Version MP 2.0, Apache TomEE 8.0.0-M2 as the MP-server and
> JWT Auth from the Examples for specifications, in order to create a request
> with JWT in its header. With this setup, there is no accepted issuer
> configured, but any issuer can be defined in the JWTClient-class and the
> request is still successful.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
