-
-
Notifications
You must be signed in to change notification settings - Fork 198
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make token issuer validation optional #1095
Comments
Hello! Thanks for raising this issue. |
Yes.
If I set |
Ok. But wouldn't that mean that the token is not checked at all? And that people not authenticated at all would have access to the Microcks UI? Also how could we get access to user' roles if the token has been issued by another realm? |
No, only the iss value from the token will not be validated. And if the iss validation is required, we can always enable it. But we can't disable it while we have this property in |
This issue has been automatically marked as stale because it has not had recent activity 😴 It will be closed in 30 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation. There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. Microcks is a Cloud Native Computing Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model. Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here. Thank you for your patience ❤️ |
Hey there! I thought bout this one and have a few questions to make it clearer ;-) Let me rephrase a bit and please tell me if I understand things correctly... As I understand it, you have apps or users with JWT tokens created by a I understand that removing the property would disable the Now I have those questions:
Any help is appreciated in making this clearer! Thank you, |
Hi @lbroudoux !
Yes, but it's about apps and mock invocations only, I need this in order not to change the logic of the tested applications. Microcks users are still in the microcks realm.
Yes, we need at least one of them to configure the resource server according to the manual.
No, all we need is to add the key(s) from the realm-issuer(s) (systemAuth, superSystemAuth, ets.) to the microcks realm, so that it can validate tokens from these sources.
As I mentioned above, I need only the invocations of the mock URLs by the tested apps. All servicing users and roles are still in the microcks realm, so here nothing changes.
At the moment I have no other solution :( |
Oh oh oh... I missed something here... I thought it was for calling Microcks APIs (you know In fact, present oauth bearer in mock invocations shouldn't be validated as they can come from many different issuers - you were on the simple case where they were actually issued by a Keycloak as well but we have so many diverse situations. Could you check that one? Validate if switching to latest fix of You may come back saying that you'd like basic validation of JWT even on mock invocations though ;-) This is another topic IMHO and may lead to another issue in my opinion ... For that we can imagine different strategies/policies:
What do you think? |
Yes, new |
Reason/Context
In some cases, Microcks' clients may receive an auth token from sources other than the Microcks' realm. Now in this case we get
Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: The iss claim is not valid"
. And there is no way to fix this without total keycloak disabling. We can't just override thisspring.security.oauth2.resourceserver.jwt.issuer-uri=
in kube config, because '' is not the same as null for Spring when it creates the validator.Description
All we need to fix this is to make
spring.security.oauth2.resourceserver.jwt.issuer-uri
optional. There will be no breaking changes.Implementation ideas
Idea
The text was updated successfully, but these errors were encountered: