Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FISH-651 Added proprietary property to disable verification of token's "typ" c… #5008

Merged
merged 2 commits into from
Nov 30, 2020
Merged

FISH-651 Added proprietary property to disable verification of token's "typ" c… #5008

merged 2 commits into from
Nov 30, 2020

Conversation

fturizo
Copy link
Contributor

@fturizo fturizo commented Nov 26, 2020

FISH-615 Allow JWT verification to skip type validation

Description

This is a minor improvement to make the MP JWT Authentication module to accept tokens generated without the typ claim in its header. Currently, the specification requires this claim to be present at all times, but NOT all modern third-party services generate tokens with this claim, as the corresponding RFC for JWT sets it as optional:

5.1. "typ" (Type) Header Parameter

The "typ" (type) Header Parameter defined by [JWS] and [JWE] is used by JWT applications to declare the media type [IANA.MediaTypes] of this complete JWT. This is intended for use by the JWT application when values that are not JWTs could also be present in an application data structure that can contain a JWT object; the application can use this value to disambiguate among the different kinds of objects that might be present.
...
Use of this Header Parameter is OPTIONAL.

This PR introduces a custom property called disable.type.verification that turn’s this validation ON/OFF, which can be defined in the custom payara-mp.-jwt.properties file.

It is important to note that next versions of the specification are already defining "recommended" claims, which means that this behaviour will become standardized in the next iteration of the specification.

Testing Performed

No tests present as there is no testing infrastructure for the MP JWT Auth module

Documentation

Documentation PR: payara/Payara-Community-Documentation#115

Notes for Reviewers

None

@Pandrex247
Copy link
Member

Jenkins test please

Pandrex247
Pandrex247 approved these changes Nov 27, 2020
View reviewed changes
Copy link
Member

@Pandrex247 Pandrex247 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - not actually tested though

@MattGill98 MattGill98 merged commit 10f3a84 into payara:master Nov 30, 2020
@MattGill98 MattGill98 changed the title Added proprietary property to disable verification of token's "typ" c… FISH-651 Added proprietary property to disable verification of token's "typ" c… Nov 30, 2020
@fturizo fturizo deleted the FISH-651_MP_JWT_Disable_Type_Validation branch December 4, 2020 19:54
Cousjava pushed a commit to Cousjava/Payara that referenced this pull request Jan 27, 2021
@MattGill98
Merge pull request payara#5008 from fturizo/FISH-651_MP_JWT_Disable_T…
d2fbddd 
…ype_Validation

Added proprietary property to disable verification of token's "typ" c…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Pandrex247 Pandrex247 Pandrex247 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fturizo @Pandrex247 @MattGill98