I've been experiencing some unusual behavior when using MP-JWT authorization in OpenLiberty. I have a single role ("apiuser") that I'm using for secured resources which gets included in the "groups" claim in the JWT. Most of the time this works as expected, but every so often I'll start OpenLiberty (using the Maven plugin; "mvn liberty:dev" or "mvn liberty:start") to find that every resource annotated with @RolesAllowed("apiuser") starts returning a 403 response when a valid token is included in the authorization header. Stopping, running "mvn clean", and restarting often fixes this, but it has become difficult to have faith in deployments when any of them may start exhibiting this behavior.
Curious, I put together an endpoint to test this like so:
@Path("test/whoami")
public class TestResource {
@Inject
Principal user;
@Inject
JsonWebToken token;
public static class TestAuthInfo {
/* properties... */
}
@Context
SecurityContext securityContext;
@GET
@Produces(MediaType.APPLICATION_JSON)
public TestAuthInfo doGet() {
var info = new TestAuthInfo();
info.isApiUserRole = securityContext.isUserInRole("apiuser");
info.isSecure = securityContext.isSecure();
if (securityContext.getUserPrincipal() != null) {
info.userPrincipal = securityContext.getUserPrincipal().getName();
} else {
info.userPrincipal = "(none)";
}
info.authScheme = securityContext.getAuthenticationScheme();
info.isJwt = user instanceof JsonWebToken;
if (token != null) {
var groups = token.getGroups() != null ? token.getGroups() : Collections.<String>emptyList();
info.groups.addAll(groups);
info.token = token.toString();
}
return info;
}
}
and, indeed, "isApiUserRole" switches from "true" to "false" between some runs of OpenLiberty (and "apiuser" is always included in the JWT's groups).
Can someone help me understand why this is happening and – even better – how to fix it? Even information on how to enable additional logging around this would be helpful since as things are now I have very little to go on.
