-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate RSA-256 keys on dev mode #44272
base: main
Are you sure you want to change the base?
Conversation
Thanks for your pull request! Your pull request does not follow our editorial rules. Could you have a look?
This message is automatically generated by a bot. |
Hey @mcruzdev Thanks for giving it a try, indeed, we'd like to make it easy for But what should really be done is that none of those properties should be required in devmode, no any temporary files should be created... If The code which will generate tokens using the published private key @michalvavrik, do you recall which build item can be used to report build time properties ? (smallrye-jwt ones related to keys are currently build time only...) |
If this https://github.com/smallrye/smallrye-jwt/blob/74638c415a0096e1916363e51571e6ed4aecf8d2/implementation/jwt-auth/src/main/java/io/smallrye/jwt/config/JWTAuthContextInfoProvider.java#L219 is the only place where this property is used, then I'd expect returning them from |
Hi @sberyozkin, was necessary to get the properties (*.location) from the user, because I do not know how to change configuration values on build time, I think that config is read-only. I will try the customizer here. |
Thank you, it works! Now I will continue here... |
🎊 PR Preview 9777061 has been successfully built and deployed to https://quarkus-pr-main-44272-preview.surge.sh/version/main/guides/
|
.../deployment/src/main/java/io/quarkus/smallrye/jwt/deployment/SmallRyeJwtBuildTimeConfig.java
Outdated
Show resolved
Hide resolved
...ye-jwt/deployment/src/main/java/io/quarkus/smallrye/jwt/deployment/SmallRyeJwtProcessor.java
Outdated
Show resolved
Hide resolved
...ye-jwt/deployment/src/main/java/io/quarkus/smallrye/jwt/deployment/SmallRyeJwtProcessor.java
Outdated
Show resolved
Hide resolved
...ye-jwt/deployment/src/main/java/io/quarkus/smallrye/jwt/deployment/SmallRyeJwtProcessor.java
Outdated
Show resolved
Hide resolved
...ye-jwt/deployment/src/main/java/io/quarkus/smallrye/jwt/deployment/SmallRyeJwtProcessor.java
Outdated
Show resolved
Hide resolved
...ye-jwt/deployment/src/main/java/io/quarkus/smallrye/jwt/deployment/SmallRyeJwtProcessor.java
Outdated
Show resolved
Hide resolved
...ye-jwt/deployment/src/main/java/io/quarkus/smallrye/jwt/deployment/SmallRyeJwtProcessor.java
Outdated
Show resolved
Hide resolved
...-jwt/deployment/src/test/java/io/quarkus/jwt/test/devmode/KeyPairOutOfTheBoxDevModeTest.java
Outdated
Show resolved
Hide resolved
...-jwt/deployment/src/test/java/io/quarkus/jwt/test/devmode/KeyPairOutOfTheBoxDevModeTest.java
Outdated
Show resolved
Hide resolved
...-jwt/deployment/src/test/java/io/quarkus/jwt/test/devmode/KeyPairOutOfTheBoxDevModeTest.java
Outdated
Show resolved
Hide resolved
...-jwt/deployment/src/test/java/io/quarkus/jwt/test/devmode/KeyPairOutOfTheBoxDevModeTest.java
Outdated
Show resolved
Hide resolved
Thanks @mcruzdev, IMHO it will be a nice addition, I've left a few comments, but it all is going well, thanks for the effort, and please take your time to address the comments |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
d8e1402
to
2dc5a61
Compare
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Hey @mcruzdev , thanks for starting devui work, it looks promising, but let's deal with it in another PR, this PR is not finalised yet, and it already has too many comments for the DevUI work be accommodated... Speaking of setting the issuer , why did you have to set it in props for generating new tokens if it is set in dev mode anyway ? |
Sorry for both, I forgot to remove them from tests. |
2dc5a61
to
0b84f66
Compare
Done @sberyozkin, I think now it is ok! |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
I'm not convinced. I also don't see why this is tied to a dev service, from the start. Sounds like a dev-mode build step, for sure. Not being able to stay logged in after a restart feels like a step back from what I have in Renarde, and I haven't read a compelling argument for not generating a file for DEV mode so that cold restarts are supported. What I mean is: what is the argument in favour of not supporting cold restarts for JWT sessions? What does it gain us? What is the advantage? |
Hi @FroMage
Sure, I only asked @mcruzdev to have the build step in a class file whose name contains
My own understanding is that there should be no state left behind, it seems not great, but I have no strong opinion, I'd only like to have an option where nothing is generated on the disc. So which is why I suggest we add a build item here in this PR, and Renarde will produce it, and if this build item is consumed here, then we just return without doing any in memory key generation.... Does it work ? |
Using that name is confusing when there is no dev service for this.
That's one option, but I think we should open the discussion to more people, as this is a UX issue, so let's ask @cescoffier and @maxandersen: Here we're trying to auto-generate JWT keys in DEV mode, so users can get started with JWT without manually generating them. Otherwise JWT doesn't work OOTB. We have the choice between two approaches:
Re-generating the keys mean the JWT cookies will become invalid and users need to re-login. I find it better to generate a file and only force users to re-login on Any opinion? |
@FroMage Hi, sure, lets rename that, we can replace As far as hot start vs cold start is concerned, when we are in the DevUI screen which is what @mcruzdev already started experimenting with, we don't have cookies, and there is no login/logout flow, and similarly, when running tests. So here, leaving the generated files when the server is shutdown is not great IMHO... Also as I said, I'm not sure that retaining files after the cold start always works, lets say you started, all works, then you shutdown, decide to put the real key verification material, and after the cold restart the user JWT cookie is not verified... Can you consider requesting a user reauthentication in devmode if the current cookie can not be verified ? That would work with hot and cold restarts... |
c68dcab
to
69aed49
Compare
This comment has been minimized.
This comment has been minimized.
But this is for DEV mode and test mode, most people spend time in DEV or test mode than the DEV UI. If they're using cookies (and any web application will use cookies), this will affect them.
This would work, because once you start adding a real key, you have configuration that points to the new key. This will indeed force you to relogin, but hey, you changed the key, that's fair.
This is what people are forced to do indeed, but that's adding an extra step and making the UX worse than it could be. |
This comment has been minimized.
This comment has been minimized.
|
||
private static String getStringKey(Key key) { | ||
return Base64.getEncoder() | ||
.encodeToString(key.getEncoded()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know that part of the codebase, but is this intended to be a PEM format?
RSA Key needs to use PKCS#1 format.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @cescoffier It is intended to be a PEM format. mp.jwt.verify.publickey
uses it, see here.
EDIT: intended to be a base64 encoded key
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, this is NOT PEM format :-) This is just a base64 encoded key.
If you want PEM format you need the header and footer explaining what's the content (RSA KEY, PRIVATE KEY ...)
I agree with @FroMage about generating a proper PEM file (Be aware, this is a trap) in the output directory (target or build) so it can be reused between runs and used for both test and dev. Now, generating a proper PEM file can be tricky because there are several formats: PKCS#1, PKCS#8, PKCS#7., SEC1 (EC)... Also, I learned that PKCS#8 can be encrypted. In this case, I would just pick one (but the runtime would need to support most of them, if not all) |
Hi @FroMage
Well, our plan is to offer a DevUI support for Also, while You say users spent most of their time in devmode, but in devmode one does not cold-stop the server, usually we do it if something goes wrong with the live coding. What is the scenario that you have in mind where a server is cold-stopped when the authenticated user is around ? |
Status for workflow
|
Status for workflow
|
Status | Name | Step | Failures | Logs | Raw logs | Build scan |
---|---|---|---|---|---|---|
✖ | Quickstarts Compilation - JDK 17 | Compile Quickstarts |
Failures | Logs | Raw logs | 🚧 |
You can consult the Develocity build scans.
Failures
⚙️ Quickstarts Compilation - JDK 17 #
- Failing: security-webauthn-quickstart security-webauthn-reactive-quickstart
📦 security-webauthn-quickstart
✖ Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.11.0:compile (default-compile) on project security-webauthn-quickstart: Compilation failure
📦 security-webauthn-reactive-quickstart
✖ Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.11.0:compile (default-compile) on project security-webauthn-reactive-quickstart: Compilation failure
@FroMage, @sberyozkin any update about this one? We have a direction to follow? |
Just rebase on the latest quarkus |
Description
Fixes #44179
This PR aims to add on DEV mode, to generate a RSA-256 pair key.
It is great for development and test environments, the user just need to set two 3 config properties:
Status: In progress