Quarkus: Wrong behavior in Using JWT RBAC guide

Created on 15 Oct 2019  ·  12Comments  ·  Source: quarkusio/quarkus

Following the Using JWT RBAC guide section "finally-secured-access-to-securedroles-allowed" the expected curl result is hello + [email protected], isSecure: false, authScheme: MP-JWT, hasJWT: true but the outcome differs.

Also this warning is reported: WARN: Unrecognized configuration key "quarkus.smallrye-jwt.auth-mechanism" provided

Expected behavior

Expected authScheme: MP-JWT and no WARN report.

Actual behavior

authScheme: BASIC in resource report and warning about unrecognized configuration key.

To Reproduce
Steps to reproduce the behavior:

  1. git clone https://github.com/quarkusio/quarkus-quickstarts.git
  2. run integratest unit test
  3. test pass but unexpected behavior

Configuration
The one provided in quickstart

Environment (please complete the following information):

  • Output of uname -a or ver: Linux 2018-00002 4.4.0-18362-Microsoft #1-Microsoft Mon Mar 18 12:02:00 PST 2019 x86_64 x86_64 x86_64 GNU/Linux
  • Output of java -version: openjdk version "1.8.0_222" OpenJDK Runtime Environment (Zulu 8.40.0.25-CA-linux64) (build 1.8.0_222-b10) OpenJDK 64-Bit Server VM (Zulu 8.40.0.25-CA-linux64) (build 25.222-b10, mixed mode)
  • Quarkus version or git rev: 0.24.0
aresecurity kinbug
Source
picture filippobuletto
👍1

All 12 comments

@sberyozkin could you have a look at that one?

gsmet picture gsmet on 15 Oct 2019

@loicmathieu ping me please if needed, thanks

sberyozkin picture sberyozkin on 17 Oct 2019

@filippobuletto FYI, I'm going to update the guide to refer to Basic, MP-JWT was not really an authentication scheme, it is used to configure the login modules in some cases, but it is a really a Basic authentication scheme which is used to pass the bearer JWT token

sberyozkin picture sberyozkin on 17 Oct 2019

@sberyozkin looks good to me, the configuration key quarkus.smallrye-jwt.auth-mechanism has been superseded by another one or has been removed?

filippobuletto picture filippobuletto on 17 Oct 2019

@filippobuletto yes. I should've made sure it was mentioned in the 0.25.0 release notes :-)

sberyozkin picture sberyozkin on 17 Oct 2019

@filippobuletto I've no idea what I was talking about. Hmm, it must be a Bearer scheme

sberyozkin picture sberyozkin on 17 Oct 2019

@sberyozkin that’s true, I’ve been biased by your statement.
So, it’s a bug of the extension or of the smallrye implementation?
May this be a security issue? Reporting the wrong scheme may lead to wrong authentication behavior

filippobuletto picture filippobuletto on 17 Oct 2019

@filippobuletto I'm looking into it. I think it is just somewhere on the call path the fact that it was Bearer is ignored and the wrong auth scheme reported (I'm still kicking myself for the fact I've so convincingly typed earlier about the Basic scheme used to pass the Bearer tokens - this is the worst line I've ever typed :-), I'll blame the demo for confusing me with reporting Basic :-) )

sberyozkin picture sberyozkin on 17 Oct 2019

Really a lol at myself moment :-), given how many times I wrote the code parsing the bearer schemes :-)

sberyozkin picture sberyozkin on 17 Oct 2019

@filippobuletto see #4648

sberyozkin picture sberyozkin on 17 Oct 2019
🚀1

@sberyozkin don't be too hard on yourself, I’m also into sec and I’ve been also tricked 😄 I’ve seen the PR, “TODO fixme” are the root of all evil!
Thank you

filippobuletto picture filippobuletto on 18 Oct 2019

If quarkus.smallrye-jwt.auth-mechanism property isn't used anymore (https://quarkus.io/guides/security-jwt#configuration-reference), should it be removed from https://quarkus.io/guides/security-jwt guide?

tunovic picture tunovic on 29 Nov 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rodrigofujioka picture rodrigofujioka  ·  3Comments
emmanuelbernard picture emmanuelbernard  ·  3Comments
MossabTN picture MossabTN  ·  3Comments
hantsy picture hantsy  ·  3Comments
gastaldi picture gastaldi  ·  3Comments