Hi Ayan, Your message has been (somehow) moderated, else it would not have reached this Mailing List. Please subscribe to the user ML for such
questions and then use your email client. See why here http://ofbiz.apache.org/mailing-lists.html. You will get a better support, people can answer
you on the ML. The wider the audience the better the answers you might get. Also it's more work for moderators who have to accept your messages as
long as you have not subscribed. I'll personally no longer accept them (other moderators still could). Thanks
This said, I moderated your message too late so it was no possible to do it the conventional way. Anyway here we are. I see that you are working with
Hotwax, and nobody from there moderated your email. So maybe the issue is already "fixed" internally?
Else we need more information, like:
Why did you need a JWT token to use Solr? What makes you think that "OFBiz is
generating the token with a 120 bit key"? Etc.
HTH
Jacques
Le 21/11/2022 à 10:13, Ayan Farooqui a écrit :
Hello devs,
I was doing a POC on JWT authentication in Solr, to implement it I generated a JWT token using OFBiz. When I used the same token and secret key to
authenticate a request on my local Solr instance, Solr gave an error “A key of the same size as the hash output or larger MUST be used with this
algorithm”. Upon debugging the issue I found reference to this rule.
“A key of the same size as the hash output (for instance, 256 bits for
"HS256") or larger MUST be used with this algorithm. (This
requirement is based onSection 5.3.4
<https://www.rfc-editor.org/rfc/rfc7518#section-5.3.4>(Security Effect of the
HMAC
Key) of NIST SP 800-117 [NIST.800-107
<https://www.rfc-editor.org/rfc/rfc7518#ref-NIST.800-107>]”
OFBiz is generating the token with a 120 bit key when it should throw an
exception for key size while using the HS512 or HS256 algorithm.
Reference - https://www.rfc-editor.org/rfc/rfc7518#page-7
<https://www.rfc-editor.org/rfc/rfc7518#page-7>
