Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Smallrye JWT decryption issue after migrating from Quarkus 2.2.3 to 2.3.0
See original GitHub issueHi,
I’d like to report a bug that I was able to solve but might be worth to look at and document somewhere for other people.
First a bit of context, I’m using quarkus to create an API gateway that will do some orchestrations and forward requests to microservices written with node.js. This API gateway is also responsible for generating and verifying JWTs that are also forwarded to the microservices. These JWTs are signed (PS256) and encrypted (RSA-OAEP-256).
I was expecting some possible issues when migrating from quarkus 1.13 to 2.0 because of the new MP JWT 1.2 spec, but everything went smooth.
However, starting with 2.3.0, the JWT are refused by the nodes.js microservices with this weird error message:
invalid JWT: “alg” (Algorithm) Header Parameter not allowed
Quarkus itself is still able to generate/sign/encrypt and decrypt/verify the tokens without problem though.
Here’s my code to generate the tokens:
String token = Jwt
.upn("some identifier")
.subject("another identifier")
.groups("some role")
.claim("some claim")
.jws().algorithm(SignatureAlgorithm.PS256).innerSign(jwtKeyFactory.getSignKey())
.encrypt(jwtKeyFactory.getEncryptKey());
and the configuration:
mp.jwt.verify.publickey.algorithm=PS256
smallrye.jwt.decrypt.algorithm=RSA_OAEP_256
Since I was suspecting some issue with the encryption algorithm, I changed my code to this:
String token = Jwt
.upn("some identifier")
.subject("another identifier")
.groups("some role")
.claim("some claim")
.jws().algorithm(SignatureAlgorithm.PS256).innerSign(jwtKeyFactory.getSignKey())
.keyAlgorithm(KeyEncryptionAlgorithm.RSA_OAEP_256).encrypt(jwtKeyFactory.getEncryptKey());
And then it works.
I believe it’s because RSA_OAEP_256 was the default encryption alg before, and according to the javadoc, it’s now RSA_OAEP.
I remember having to specify RSA_OAEP_256 as decryption algorithm in application.properties when I implemented all this, because RSA_OAEP was the default but it didn’t work.
So basically, until now, the default encryption and default decryption algorithms weren’t the same. This made me struggle back then because it’s not explained in the guide so I had to figure it out by myself.
Now, it seems that both default to RSA_OAEP so it shouldn’t cause issue anymore.
What I still don’t understand though, is that my implementation was still working up to quarkus 2.2.3, although the change to RSA_OAEP seems to have appeared with MP JWT 1.2, as stated here:
Support for decrypting JWT tokens which have been encrypted using RSA-OAEP and A256GCM algorithms and contain the claims or inner-signed JWT tokens
And so I would have expected it to fail already with quarkus 2.0.
Anyway, all this might deserve to be emphasized in the jwt guide and migration guide, and in any case, I hope it might help people who would come across the same issue.
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@Faboli7 FYI, I’ve opened https://github.com/smallrye/smallrye-jwt/issues/514 to simplify the code a bit when the algorithms have to be customized. As far as this issue is concerned I believe it would be better to update the migration guide to 2.3.0, my understanding we don’t update the actual docs with the info like “In that version it was this algorithm but now it is this one”, etc. I’ll add the link to the migration guide and will close the issue then
Thanks
Thanks @sberyozkin ! I subscribed to the new issue.