Allow unverified JWT #132
Comments
|
@FreifeldRoyi Hi, no, I don't think so. Well it depends on what the implementation you are working with. Why would you want to do it ? |
|
Hi =) |
|
It is a highly insecure practice to trust any value supplied through the JWT token when no verifications are made. |
|
@rdebusscher I agree. The JWT verification process is left for another service. The request can't "cascade" into the internal ecosystem if it is not verified by that service (that's why I ask if I can just inject the JWT with no verification) |
|
BTW, There are other jwt implementations that allow unverified access, e.g |
|
@FreifeldRoyi I'm not sure it can be supported at the MP-JWT level, I agree with @rdebusscher. |
|
I have the need for unverified JWT, too. (using Quarkus + SmallRye JWT) Reason: We have an API Gateway, that does the verification. And if the token is valid, it will forward the request to the corresponding Quarkus Microservice. Though the Microservice shouldn't have to verify it again. Maybe you could add some new Property like |
|
And you are sure that the service can only be accessed from the API gateway only? That it is impossible to send a request to that service from any other location? If not, you have a major security hole. |
|
The scenario @benneq describes is not so uncommon apparently. I am in a similar situation. |
|
@pilhuhn @FreifeldRoyi Why are you using JWT on that backend service then? Couldn't you pass on from the gateway only whatever data you need and proceed with that? (processing them manually in the service). No need to use JWT at all if you don't need it IMHO. I am looking at it from my TLS termination and client cert authentication POV.
|
|
@rdebusscher You can achieve this pretty easily using Kubernetes or Docker with their internal network for inter-microservice-communication. And the only exposed port is 80, and this is routed straight to your gateway. Or have you ever used Elasticsearch? It has no authentication at all. By default it only accepts requests from localhost, but you can change that restriction to some specific IP or IP range or even a specific network adaptor on your machine. Then for example you could use a private VPN tunnel to communicate with other Elasticsearch clusters on the other side of the planet and restrict the network communication to the VPN tunnel network adaptor. Here's some Blog Post from auth0: https://auth0.com/blog/apigateway-microservices-superglue/ I understand your security concerns, but they aren't valid if you have a secure network where you can make sure that there's only a single endpoint (API Gateway) for communication with the outer world. That's why I suggested that the user has to explicitly disable the default behavior. @Karm Sure you can. But clientId may not be enough. Often the JWT also contains some data that can't be checked by the gateway. For example "IS_ADULT" role (for /watchMovie/{movieid} request) may not be validated by the gateway, but needs to be checked by the business logic of the microservice (because the auth decision depends on the specific movie). Though you have to pass down this data as well. |
Inside access is as important as outside access. But if you can guarantee it is ok. Problem is that once you have such a possibility (not do the validation), users will start to misuse it. |
|
Is that really a concern? There's always a way to misuse software if you want to. I can also write an endpoint with What I wanted to say: Security in a real application is no toy for unexperienced 12-year-old "devs". But ... if you don't want to give us an easy way to allow unverified JWT, is there at least a not-so-easy way to get it done, by providing some piece of code that will override the validation with I'd be totally fine with that, too, if it's done with a few lines of code. |
|
@Karm I can think of a few valid use cases like auditing or storing for future use along with the data (which is also important for security). |
|
There's a new infoQ talk by Netflix about how they do auth in their microservice landscape. And why they did change their former auth system. ( https://www.youtube.com/watch?v=eEZHZ806d6o ) Short summary of the interesting parts:
In other words: |
|
How about the support for alg:none but only for injection of claims? So user from the call is still 'unauthenticated' (no valid SecurityContext.getUserPrincipal(), @RolesAllowed and isUserInRole() return always false, ...) |
|
@rdebusscher I think that's a bad idea. |
|
I think having a config to control if the JWT has to be validate or not is acceptable. By default is always on. |
|
IMHO it can be There must be some way at the low level spec level to enforce it. It is easy to document at the individual OIDC provider documentation page because it guarantees to its users the token will be validated. At the spec level like MP JWT we need to assert the verification has happened. |
|
Having a related topic here for a project. The information where to fetch the public key for verification is part of the JWT token. So the process needs to be 2 step when the token needs to be verified:
So I think having an optional way to register/provide a PublicKeyFactory that has access to the complete http request (and token) and that is called prior to the "real" verification would be very beneficial. Also having a way to extend the Principal with further Information from the request/jwt would also be very useful in many cases. as a side note: e.g. Using Kotlin extension methods makes it very intuitive to just get all additional information you would expect from the Principal. I did similar things with other JWT implementations (mainly NodeJS). |
|
@wfrank2509 I've added it to the |
|
👋 Hey guys, how's this going? I have a usecase related to testing; it's far too complex in the setup I have to have my JWT provider use the same certs as my JWT-loving Quarkus app (For testing I just don't mind it being unverified) |
Hey,
Is it possible to allow unverified JWTs to be injected ?
Thnx
Royi
The text was updated successfully, but these errors were encountered: