Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug Report: Discrepancy of JTI claim between code and spec #6639

Closed
tdevfeeds opened this issue Apr 11, 2024 · 3 comments
Closed

Bug Report: Discrepancy of JTI claim between code and spec #6639

tdevfeeds opened this issue Apr 11, 2024 · 3 comments
Assignees
@shub8968
Labels
Status: Abandoned User has not supplied reproducers for bug report, soon to be closed if user doesn’t come back

Comments

@tdevfeeds
Copy link

tdevfeeds commented Apr 11, 2024
edited

Brief Summary

The JTI claim is not required in the Oauth2 spec, nor the MP JWT Auth spec (https://github.com/eclipse/microprofile-jwt-auth/blob/main/spec/src/main/asciidoc/interoperability.asciidoc). The latter states it is "recommended". This is preventing JWT verification with Oauth2 IDPs like Microsoft Entra who does NOT send the JTI claim and instead uses a "nonce" claim. Is the desired behavior to require JTI claim, or is this a bug?

Edit
Sorry, thought GitHub would reference the line of code in question. Adding it here.

Payara/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/jwt/JwtTokenParser.java

Line 94 in 7680990

private final List<Claims> requiredClaims = asList(iss, sub, exp, iat, jti);

Expected Outcome

Code matches spec.

Current Outcome

JWT fails validation due to missing JTI claim.

Reproducer

Any JWT without JTI claim.

Operating System

NA

JDK Version

NA

Payara Distribution

Payara Micro
@tdevfeeds tdevfeeds added Status: Open Issue has been triaged by the front-line engineers and is being worked on verification Type: Bug Label issue as a bug defect labels Apr 11, 2024
@shub8968
Copy link
Contributor

shub8968 commented May 1, 2024

Duplicate of #5791

@shub8968 shub8968 marked this as a duplicate of #5791 May 1, 2024
@shub8968 shub8968 added Status: Pending Waiting on the issue requester to give more details or share a reproducer and removed Status: Open Issue has been triaged by the front-line engineers and is being worked on verification labels May 1, 2024
@github-actions github-actions bot added Status: Abandoned User has not supplied reproducers for bug report, soon to be closed if user doesn’t come back and removed Type: Bug Label issue as a bug defect Status: Pending Waiting on the issue requester to give more details or share a reproducer labels May 7, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2024

Greetings,
It's been more than 5 days since we requested more information or an update from you on the details of this issue. Could you provide an update soon, please?
We're afraid that if we do not receive an update, we'll have to close this issue due to inactivity.

@payara payara locked as resolved and limited conversation to collaborators May 7, 2024
@fturizo
Copy link
Contributor

fturizo commented May 7, 2024

Since this issue is a duplicate of #5791, which is not a valid bug report for the Payara Platform, we're marking this as closed. @tdevfeeds, please follow the suggestion on #5791 and raise this issue directly with the MicroProfile JWT Working group to get a solution.

@fturizo fturizo closed this as completed May 7, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@shub8968 shub8968

Labels
Status: Abandoned User has not supplied reproducers for bug report, soon to be closed if user doesn’t come back
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fturizo @shub8968 @tdevfeeds