-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mp.jwt.verify.publickey format clarification #199
Comments
@vsmid In general, the implementations are allowed to support things which have not been explicitly allowed for in the spec. |
@sberyozkin Thanks. Perhaps both formats(with and without headers) can be acceptable? I mean, it is a bit confusing when switching servers the same thing acts very differently. Maybe docs could say a little bit more about this. |
Seems the headers are more or less standard these days (as also defined in an RFC), so probably we want to indicate this in the spec that headers are required (2.0 as this is breaking change) |
@vsmid Thanks; I'm pretty sure the PEM key without the headers (as |
@rdebusscher Hi Rudy, I misinterpreted your comment,
I don't think we have to mandate in 2.0 that the users use complete PEM file content with the headers for As such I'd consider it for a possible Thanks |
@vsmid Hi - I've just looked closer into this issue - MP JWT TCK already enforces a fully formatted inlined public key is accepted, see the test properties. I've also verified it works in IMHO we should certainly not require the users to start using the fully formatted PEM key content for I'll open a PR to clarify it in the spec |
OK, the spec does not explicitly allow the encoded keys without PEM headers - but in that case there is nothing to clarify for MP JWT 1.2.1 - as I said I'd be against starting failing the applications which have for example
as opposed to
the latter should work - but I don't want to require our users to add those headers in But what I'd like to enhance - for 2.0 - is to require that implementations accept
as it is simpler for the users to do but which would indeed be a 2.0 level enhancement since 1.2 does not require it |
I agree with making this a 2.0 requirement. |
@teddyjtorres Hi Teddy, I was about to start catching up on this one - but I wonder if we are here in the same boat as we were after 1.2 was out. MP JWT 2.0 does not require it so therefore we can't enforce this requirement for 2.1. I propose to delay it till 3.0 |
@sberyozkin Hi Sergey. I agree with delaying it until 3.0. |
Hi, I've just passed a few hours understanding why Open Liberty throw me the following error before I find this issue :
Does Open Liberty must throw an "DeploymentException" as stated in the specification instead of telling that no public key was found ? |
Hi,
I noticed that OpenLiberty requires -----BEGIN/END PUBLIC KEY----- header/footer headers when setting mp.jwt.verify.publickey value. For example, I tried the same thing on Payara and Quarkus and it didn't work. They both work without headers.
A while ago I did ask on OpenLiberty GitHub about this and they referred to the MicroProfile JWT docs part where it says that MicroProfile JWT implementations must inspect the supplied Public Key body for the -----BEGIN PUBLIC KEY----- header and parse the key as PCKS#8 if found.
Is this a case of a less strict public key format (Payara, Quarkus) when specifying mp.jwt.verify.publickey and should it be allowed?
The text was updated successfully, but these errors were encountered: