THALES GROUP LIMITED DISTRIBUTION to email recipients Hello Zoltan,
My JSON JWT representation is: Header: { "kid": "abc-1234567890", "alg": "RS384" } Payload: { "iss": "https://server.example.com", "jti": "a-123", "exp": 2026238400, "iat": 1679083200, "sub": "24400320", "upn": "j...@server.example.com", "groups": [ "red-group", "green-group", "admin-group", "admin" ] } + signature In the HTTP Authorization header I have: <Header JSON B64 encoded>.<Payload JSON B64 encoded>.<signature of [B64 header].[B64 Payload]> So again, what's wrong ? Best Regards. -----Original Message----- From: Tichov Zoltán <tichov.zol...@falconsoft.hu> Sent: jeudi 4 avril 2024 12:38 To: users@tomee.apache.org Subject: Re: JWT issue TomEE 9.1.2 micro-profile flavor Hi Francois! You are right, sorry the "alg" value is "RS256". I generate the token with this code: public String generateToken(String name) { long now = System.currentTimeMillis(); try { KeyPair decodedKeyPair = decodeKeyPair(PRIVATE_KEY, PUBLIC_KEY); return Jwts.builder() .subject(name) .claim(ROLE_CLAIM, List.of("user")) .issuer("issuer") .header().add(Map.of("type", "JWT")).and() .issuedAt(new Date(now)) .expiration(new Date(now + EXPIRATION)) .signWith(decodedKeyPair.getPrivate()) .compact(); } catch (NoSuchAlgorithmException | InvalidKeySpecException ex) { log.error("Exception at generateToken"); } return ""; } I'm using this depencies: <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt</artifactId> <version>0.12.5</version> </dependency> <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt-api</artifactId> <version>0.12.5</version> </dependency> Best regards: Zoltán 2024. 04. 04. 12:10 keltezéssel, COURTAULT Francois írta: > THALES GROUP LIMITED DISTRIBUTION to email recipients > > Hello again, > > I added the typ but it doesn't work. > > Normally the alg value should be RS256 or RS384 (my try) and not RSA256 or > RSA384 according to the spec. > > But I will try anyway with RSA384 instead of RS384 but I have some doubts > that it could work. > More I have a look at the AlgorithmIdentifiers.java from this library and > there is no RSA stuff in there. > Even more the JWT library included in TomEE 9.1.2 is the same than the one I > use to generate my signed JWT. > > The doubt I have is confirmed, I can't compile my source code with this line : > JsonWebSignature jws = new JsonWebSignature(); ... > jws.setAlgorithmHeaderValue("RSA256"); or > jws.setAlgorithmHeaderValue("RSA384"); > > I am only allowed to do this: > jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256); > // AlgorithmIdentifiers.RSA_USING_SHA256 is RS256 > jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA384); > // AlgorithmIdentifiers.RSA_USING_SHA384 is RS384 > jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA512); > // AlgorithmIdentifiers.RSA_USING_SHA512 is RS512 > > Best Regards. > > -----Original Message----- > From: Tichov Zoltán <tichov.zol...@falconsoft.hu> > Sent: jeudi 4 avril 2024 11:48 > To: users@tomee.apache.org > Subject: Re: JWT issue TomEE 9.1.2 micro-profile flavor > > Hi Francois! > > I think that the "alg" : "RSA256" is more important in the token header than > the "type". > > Best regards: > > Zoltán > > 2024. 04. 04. 11:42 keltezéssel, COURTAULT Francois írta: >> THALES GROUP LIMITED DISTRIBUTION to email recipients >> >> Hello Zoltan, >> >> I don't know why I have written Victor in my previous post ☹ >> >> Sorry about that. >> >> Your point is that typ field is missing in my signed JWT header, right ? >> >> I was believing that this one is not mandatory. >> >> Looking at microprofile-jwt-auth-spec-2.0.pdf, typ is recommended but >> not required. >> >> Anyway I will try and let you know. >> >> Best Regards. >> >> *From:*Tichov Zoltán <tichov.zol...@falconsoft.hu> >> *Sent:* jeudi 4 avril 2024 11:34 >> *To:* users@tomee.apache.org >> *Subject:* Re: JWT issue TomEE 9.1.2 micro-profile flavor >> >> Hi Francois! >> >> Try to generate the token with "alg" : "RSA256" and "type" : "JWT". >> >> Best regards: >> >> Zoltán >> >> 2024. 04. 04. 11:18 keltezéssel, COURTAULT Francois írta: >> >> THALES GROUP LIMITED DISTRIBUTION to email recipients >> >> Hello Victor, >> >> I use this library: >> >> <dependencies> >> >> <dependency> >> >> <groupId>org.bitbucket.b_c</groupId> >> >> <artifactId>jose4j</artifactId> >> >> <version>0.9.6</version> >> >> </dependency> >> >> </dependencies> >> >> to create the JWT. >> >> Best Regards. >> >> -----Original Message----- >> >> From: Tichov Zoltán<tichov.zol...@falconsoft.hu> >> <mailto:tichov.zol...@falconsoft.hu> >> >> Sent: jeudi 4 avril 2024 11:06 >> >> To:users@tomee.apache.org >> >> Subject: Re: JWT issue TomEE 9.1.2 micro-profile flavor >> >> Hi Francois! >> >> How did you generate the token? >> >> Best regards >> >> 2024. 04. 04. 10:38 keltezéssel, COURTAULT Francois írta: >> >> THALES GROUP LIMITED DISTRIBUTION to email recipients >> >> Hello everyone, >> >> I built a war with a class which extends Application and >> annotated >> >> with @LoginConfig(authMethod = "MP-JWT") I have created a >> signed JWT >> >> which is OK when I validated it (public key provided) using >> jwt.io web >> >> site >> >> I want to test this signed JWT with my war. >> >> In this one, under META-INF, I have created a >> >> microprofile-config.properties with the following entries >> >> mp.jwt.verify.publickey=MIIBojANBgkqhkiG9w0BAQEFAAO... (the >> same >> >> public key that I have used to validate the signed JWT using >> jwt.io >> >> web site) mp.jwt.verify.issuer=https://server.example.com >> >> Then I run a curl with -H "Authorization: Bearer >> >> eyJraWQiOiJhYmMtMTIzNDU2Nzg5MCIsImFsZyI6IlJTMzg0In0.ey ..." (the >> same signed JWT I used on jwt.io web site) I got this: >> >> * at client side: ...HTTP Status 401 - Unauthorized ... >> Invalid or not parsable JWT >> >> * at server side: >> >> 04-Apr-2024 10:14:31.255 WARNING [http-nio-8080-exec-5] >> org.apache.tomee.microprofile.jwt.MPJWTFilter$ValidateJSonWebToken.parse JWT >> processing failed. Additional details: [[17] Unable to process JOSE object >> (cause: org.jose4j.lang.InvalidKeyException: The given key (key is null) is >> not valid for SHA384withRSA): >> JsonWebSignature{"kid":"abc-1234567890","alg":"RS384"}-> >> eyJraWQiOiJhYmMtMTIzNDU2Nzg5MCIsImFsZyI6IlJTMzg0In0.ey... >> >> What's wrong ? >> >> Best Regards. >> >>