Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

JWT validation pattern with `jku` and `kid` claims

See original GitHub issue

Hi @nenaraab,

In SAP Cloud SDK, we’re integrating your library to handle XSUAA authentication topics. Currently, we’re fixing JWT validation that fails because of this change: tenant specific JWT signing keys

In regard to this, I have a couple of questions to ensure our implementation is secure and compliant:

How do you ensure jku is from a whitelisted domain? Should we ensure it on Cloud SDK side?
As I understood from the sources you consider jku trusted after ensuring that issue is trusted by checking iss?
Does XSUAA always provide jku and kid to fetch the public key for token validation? Or it can also be only jku?
If a mocked or testing server is used to issue JWT how can we provide a URL of this issuer to make validation work for running tests locally or other use cases requiring to override XSUAA as s token issuer?

Thank you in advance for your help! I hope this makes sense. cc @MatKuhr @newtork

Best, Artem

Issue Analytics

State:
Created 4 years ago
Comments:10 (10 by maintainers)

Top GitHub Comments

1reaction

nenaraabcommented, Mar 17, 2020

cool. Perfect and good migration idea 😃

0reactions

MatKuhrcommented, Mar 17, 2020

Thanks, that would actually be great.

We currently use the library like this:

final Token token = new XsuaaToken(encodedJwt);
final OAuth2ServiceConfiguration xsuaaConfiguration = Environments.getCurrent().getXsuaaConfiguration();

if( xsuaaConfiguration == null ) {
    throw new AuthTokenAccessException("Unable to fetch XSUAA configuration from VCAP services.");
}
final CombiningValidator<Token> validator = JwtValidatorBuilder.getInstance(xsuaaConfiguration).build();

final ValidationResult result = validator.validate(token);
if( result.isValid() ) {
    return JWT.decode(encodedJwt);
}
throw new AuthTokenAccessException("The token is invalid: " + result.getErrorDescription());

In case this validation fails we fall back to our “old” implementation and try again. That way our own mocking still works and nothing can break for the consumer.

So far one of our consumers confirmed that this works. Next steps would probably be leveraging the mocking capabilites of the XSUAA lib to better test this and also to deprecate our custom implementation.