0

I'm attempting to use a JWKS endpoint to supply a public key for verifying a JWT signature. In my application.properties, I've set the following:

mp.jwt.verify.publickey.location = http://localhost:1080/jwks

It appears that this is indeed being used:

2019-08-17 18:02:28,593 DEBUG [io.sma.jwt.con.JWTAuthContextInfoProvider] (executor-thread-1) init, mpJwtPublicKey=NONE, mpJwtIssuer=NONE, mpJwtLocation=http://localhost:1080/jwks
2019-08-17 18:02:28,599 DEBUG [io.sma.jwt.aut.AbstractBearerTokenExtractor] (executor-thread-1) tokenHeaderName = Authorization
2019-08-17 18:02:28,643 DEBUG [io.qua.sma.jwt.run.aut.JwtIdentityManager] (executor-thread-1) verify, id=null, credential=io.quarkus.smallrye.jwt.runtime.auth.JWTCredential@780ca7ed
2019-08-17 18:02:28,719 DEBUG [io.sma.jwt.aut.pri.KeyLocationResolver] (executor-thread-1) Trying location as JWK(S)...

When attempting a request to an endpoint in this app, it crashes with:

2019-08-17 18:02:29,048 WARN  [io.sma.jwt.aut.pri.DefaultJWTTokenParser] (executor-thread-1) Token is invalid: JWT (claims->{"identityType":"user","authorities":[],"accountId":"0812081208","userId":"ybx8912jq59","iat":1566086374,"exp":1566089974}) rejected due to invalid claims. Additional details: [[17] Unexpected exception thrown from validator org.jose4j.jwt.consumer.IssValidator: java.lang.NullPointerException at org.jose4j.jwt.consumer.IssValidator.expectedValue(IssValidator.java:72); org.jose4j.jwt.consumer.IssValidator.validate(IssValidator.java:59); ...omitted...]
2019-08-17 18:02:29,050 DEBUG [io.qua.sma.jwt.run.aut.JwtIdentityManager] (executor-thread-1) failed, id=null, credential=io.quarkus.smallrye.jwt.runtime.auth.JWTCredential@780ca7ed: org.wildfly.security.auth.server.RealmUnavailableException: Failed to verify token
        at io.quarkus.smallrye.jwt.runtime.auth.MpJwtValidator.validateClaimsSet(MpJwtValidator.java:44)

The best I can understand from this stack trace, id=null might be a problem? I have nothing else to really go on here as I can confirm that this JWT is valid as I'm the one who generated it, and it can be validated via other apps.

I do not have access to add other fields/values to this JWT as I don't own the auth system. Is there any way I can get around this?

Jim Wharton
  • 1,375
  • 3
  • 18
  • 41

1 Answers1

1

The NPE from IssValidator suggests you are probably running into this https://bitbucket.org/b_c/jose4j/issues/135/issvalidator-throws-nullpointerexception which means your token needs an issuer iss claim or the JWT consumer needs to not be set to require an iss claim via not using any of the setExpectedIssuer[s] methods on the builder.

Brian Campbell
  • 2,293
  • 12
  • 13
  • also never use plain http for the JWKS endpoint in real usage – Brian Campbell Aug 18 '19 at 14:58
  • Nope, this is local dev mode only (that endpoint returns a mock JSON obj). Since this is quarkus, the expected issuers are set by an application property, not a builder. I'm having trouble understanding how to use a builder instead. – Jim Wharton Aug 18 '19 at 21:22