Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MeshLocalServer - setAlgorithm does not change the algorithm in JWT class - it still expects a HS256 token #1120

Open
bbelghith opened this issue Sep 10, 2020 · 3 comments
Labels
enhancement f/security Security related features

Comments

@bbelghith
Copy link

Gentics Mesh Version, operating system, or hardware.

  • v1.7.1

Operating System

  • Windows

JVM

  • Oracle JDK 8
  • Open JDK 11

Problem

i have to develop a plugin for gentics mesh using accessToken from keycloak. Those token are issued in RSA26 and the
standard algorithm in Gentics mesh is HS256. MeshLocalServer offers a method called setAlgorithm but it is still not accepting my keycloak token. I also cannot simply install the public key from keycloak in the keystore because it is created during time.

So please allow me to change the algorithm on which JWT is decoding and verifying my access token.

Reproducer

Expected behaviour and actual behaviour

@Jotschi
Copy link
Contributor

Jotschi commented Sep 11, 2020

Support for custom algorithms is currently limited to HS256. It is possible to configure the algorithm but depending on the chosen algo it may be required to modify the core code to support it. Additionally this would only work if the keystore file contains the needed certificates and keys to sign the issued JWT's.

We use the JWTAuth code of Vert.x https://vertx.io/docs/vertx-auth-jwt/js/ which we configure here: https://github.com/gentics/mesh/blob/dev/common/src/main/java/com/gentics/mesh/auth/provider/MeshJWTAuthProvider.java#L83

I suspect that the options JWTAuthOptions lack the needed algo information for JWT.
https://vertx.io/docs/apidocs/io/vertx/ext/auth/JWTOptions.html

We would welcome any contribution which includes tests and additional changes to support other algos.

@Jotschi Jotschi added enhancement f/security Security related features labels Sep 11, 2020
@bbelghith
Copy link
Author

I was now able to use Gentics Mesh with RSA256 - so far it does work. HS256 is not sufficient - particularly not for Admin Accounts. secrets are sending in plain text. Keycloak uses per default RSA256 and is also more difficult to use access tokens with two different algorithm.

I would rather remove the vertx library and choose another one. it has a couple of flaws.
Setting always the algorithm before you can verify something is one one of it. In addition, Everything is based on key alias which users often use radomly in their keystore. Not very stable. In Addition, even big solutions are using alias inconsistently.

For example Keycloak is using RSA256 as "alg" for which that library is not finding a match - because it uses the alias "RS256".

The project seems to need man power. I am a software architect from Karlsruhe/Germany and can help you to improve the code base if you can allow me to be a contributor.

@mephinet
Copy link
Contributor

Hi @bbelghith, we are happy to have you as a contributor - this is open source software. Once you open your first pull request, you will be automagically asked to sign our CLA. Once it is singed, we're happy to merge your improvements (if they meet our requirements, of course).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement f/security Security related features
Projects
None yet
Development

No branches or pull requests

3 participants