-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JWT token with HS256 and corresponding JWK file : UnresolvableKeyException #25632
Comments
/cc @sberyozkin |
@Chanizo Thanks for opening this issue, I have this test in Actually, I think I know why it may be failing. How do you create a signed token, does it have a |
Thanks for your quick answer @sberyozkin ! I tried both (with and without kid), but it did not work... My JWK file : Result token with your JWK : My parameters : How I send the token : |
@Chanizo I've had a look and reproduced the problem locally.
or add |
@Chanizo It is working now for me even with your case, I was wrong in my analysis, not sure why it was failing. smallrye-jwt does 2 tries, first at the initialization time, and then at the request time - when JWK set is used |
Thank you @sberyozkin, indeed the error for key location has disappeared, but I have a new one now... My application properties : And the token signed with the new secret on jwt.io : My endpoint :
Like last time, i did this call : This time it enters in my endpoint, but I got this error : |
Hi @Chanizo, did you manage to fix this? My jwk is slightly different and couldn't find a way to make a valid call for the api always return 401 - unauthorized jwk
application.properties
Exception:
|
Why is this configuration parameter required? I had a similar issue due to a JWT using PS256 algorithm. Adding the configuration parameter resolved the issue. But e.g. https://jwt.io/ automatically detects PS256 from the JWT header. And PS256 is present as the algorithm in the JWK JSON. |
So that people coming from google can understand how to solve this. JWK format expects a key in base64 format. In the example below, the OP used the raw value of
instead of using the decode base64 value. So, to be able to validate a token signed with the raw key {
"keys": [
{
"kty": "oct",
"k": "dVdsd0JMR3Y0RXBpZlo1MkVoVHVVOUwtNzZBRjlWZjR5dW1TRDFQLTJ1RQ==",
"alg": "HS256"
}
]
} The application.properties settings to use (note that this is 2024-07-13 and the current quarkus version is 3.8.
smallrye.jwt.verify.key.location=secretKey.jwk
smallrye.jwt.verify.algorithm=HS256 Make sure you have Now token signed with the string
|
Describe the bug
My quarkus backend receives requests with JWT Token with some information.
I tried with quarkus-smallrye-jwt, and it worked for RS256 algorithm. I created a token with jwt.io and sent it with my request in my test, it has been correctly decoded.
To verify I simply used :
@Inject JsonWebToken jwt; ... @GET public Response get() { System.out.println(hasJwt()); System.out.println(jwt.getClaimNames());
I tried with pem file and jwk file then in smallrye.jwt.verify.key.location, and it was OK.
Then we moved to HS256 algorithm because of our needs, I created corresponding jwk file and token but this time it has not been working...
Expected behavior
I want to be able to simply use HS256 algorithm for encoding/decoding JWT Tokens with quarkus-smallrye-jwt
Actual behavior
I created JWKS file for HS256 algorithm with this format :
{ "keys": [ { "kty":"oct", "k":"uWlwBLGv4EpifZ52EhTuU9L-76AF9Vf4yumSD1P-2uE", "alg":"HS256" } ] }
I encoded a JWT token with HS256 and same secret, and sent it to quarkus back but I got this error :
2022-05-17 21:15:09,295 DEBUG [io.qua.sma.jwt.run.aut.MpJwtValidator] (executor-thread-0) Authentication failed: io.smallrye.jwt.auth.principal.ParseException: SRJWT07000: Failed to verify a token
at io.smallrye.jwt.auth.principal.DefaultJWTTokenParser.parseClaims(DefaultJWTTokenParser.java:161)
at io.smallrye.jwt.auth.principal.DefaultJWTTokenParser.parse(DefaultJWTTokenParser.java:56)
at io.smallrye.jwt.auth.principal.DefaultJWTCallerPrincipalFactory.parse(DefaultJWTCallerPrincipalFactory.java:31)
at io.smallrye.jwt.auth.principal.DefaultJWTParser.parse(DefaultJWTParser.java:64)
at io.smallrye.jwt.auth.principal.DefaultJWTParser_ClientProxy.parse(Unknown Source)
...
Caused by: org.jose4j.lang.UnresolvableKeyException: SRJWT07004: Failed to load a key from the key content while resolving
at io.smallrye.jwt.auth.principal.AbstractKeyLocationResolver.reportUnresolvableKeyException(AbstractKeyLocationResolver.java:187)
at io.smallrye.jwt.auth.principal.KeyLocationResolver.resolveKey(KeyLocationResolver.java:66)
at org.jose4j.jwt.consumer.JwtConsumer.processContext(JwtConsumer.java:213)
at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:426)
at io.smallrye.jwt.auth.principal.DefaultJWTTokenParser.parseClaims(DefaultJWTTokenParser.java:143)
... 74 more
How to Reproduce?
Add quarkus-smallrye-jwt dependency, create JWK file for HS256 algorithm, add it to smallrye.jwt.verify.key.location. Encode JWT token with same secret, with jwt.io for example, and add it in "Authorization" header of request for quarkus backend
Output of
uname -a
orver
Darwin 21.4.0 Darwin Kernel Version 21.4.0: Fri Mar 18 00:45:05 PDT 2022; root:xnu-8020.101.4~15/RELEASE_X86_64 x86_64
Output of
java -version
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 14.0.2+12, mixed mode, sharing)
GraalVM version (if different from Java)
No response
Quarkus version or git rev
2.8.1.Final
Build tool (ie. output of
mvnw --version
orgradlew --version
)No response
Additional information
No response
The text was updated successfully, but these errors were encountered: