[jira] [Closed] (OFBIZ-12724) JWT Authentication Error

Thu, 15 Dec 2022 01:28:04 -0800 


     [ 
https://issues.apache.org/jira/browse/OFBIZ-12724?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux closed OFBIZ-12724.
-----------------------------------
    Fix Version/s: 22.01.01
                       (was: Upcoming Branch)
       Resolution: Fixed

> JWT Authentication Error
> ------------------------
>
>                 Key: OFBIZ-12724
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12724
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework/security, framework/webapp
>    Affects Versions: 17.12.09
>         Environment: OS - Ubuntu 16.04
> DB - MySql
>            Reporter: Ayan Farooqui
>            Assignee: Jacques Le Roux
>            Priority: Trivial
>             Fix For: 22.01.01
>
>
> I have secured my Solr setup using solr.JWTAuthPlugin. I need to provide the 
> algorithm name (HS512) and the secret key to verify the payload in solr. The 
> rest api for my Solr setup will be triggered from OFBiz for which I am 
> generating a JWT token and validating it.
> Using the given key & following methods -
> secret key - KeS5mHZGWAD6-5V9qwCE (This is 120 bit key)
> public static String createJwt(Delegator delegator, Map<String, String> 
> claims, String keySalt, int expireTime)
> public static Map<String, Object> validateToken(String jwtToken, String key)
> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java
>  
> When I use the above generated token and key in Solr I get the 
> InvalidKeyException which says The secret is only 120 bits, 512 bits is 
> required by HS512. 
> I suppose we should get such exception in OFbiz also, when generating a token 
> using shorter than recommended key size.
> As mentioned in jawa-jwt docs
> "Ensure the length of the secret is at least 512 bit long" under HMAC512 
> header ( 
> https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html
>  )
> But I am using only 120 bit key (KeS5mHZGWAD6-5V9qwCE) in the 
> validateToken(String jwtToken, String key) method and it is not throwing any 
> exception for key size.
> We should follow the rule and give a 512 bit key by default and provide 
> validation based on the same rule.  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to