Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JWT Authentication for API Gateway #6769

Merged
merged 36 commits into from
Aug 7, 2019

Conversation

ChamodDamitha
Copy link
Contributor

Enable API authentication support using JWT tokens.

Issue - wso2/product-apim#5115

JSONObject payload = null;
boolean isVerified = false;

String tokenSignature = splitToken[2];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

possible array index out of bounds if someone sends a invalid jwt?

Copy link
Contributor Author

@ChamodDamitha ChamodDamitha Aug 4, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Invalid token split length is handled in the OAuthAuthenticator before hitting this code

String signatureAlgorithm;
JSONObject header;
try {
header = new JSONObject(new String(Base64.getUrlDecoder().decode(splitToken[0])));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems we do url decode? Can there be any other decoding methods?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the Key manager, we do URL encode. That's why I used URL decode here.

header = new JSONObject(new String(Base64.getUrlDecoder().decode(splitToken[0])));
} catch (JSONException | IllegalArgumentException e) {
log.debug("Token decryption failure when retrieving header.", e);
throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

saying token invalid. Can't we trim and log atkeast last few letters

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added

@@ -345,6 +349,7 @@
org.apache.synapse.endpoints.*,
org.apache.synapse.mediators.base,
org.apache.axis2.transport.base,
io.swagger.parser.*; version="${openapitools.swagger.parser.version}",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

better to import version range

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

if (!isVerified) {
log.debug("Token not found in the cache.");
try {
payload = new JSONObject(new String(Base64.getUrlDecoder().decode(splitToken[1])));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

posiible array index out of bounds/

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this split length validation is happening at the OAuthAuthenticator so when we hit this method, it should definitely have an array of length 3

@ChamodDamitha ChamodDamitha force-pushed the jwt-authentication branch 2 times, most recently from d92610f to 30dcba2 Compare August 5, 2019 09:16
@CLAassistant
Copy link

CLAassistant commented Aug 5, 2019

CLA assistant check
All committers have signed the CLA.

Chamod Samarajeewa added 24 commits August 6, 2019 00:44
…ubscribed API DTO object"

This reverts commit e00305f.
…uth context in JWT validator"

This reverts commit 2a1cf73.
@harsha89 harsha89 merged commit 5ce5e36 into wso2:master Aug 7, 2019
if (StringUtils.countMatches(apiKey, APIConstants.DOT) != 2) {
log.debug("Invalid JWT token. The expected token format is <header.payload.signature>");
throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS,
"Invalid JWT token");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cant we state the same debug message here as well?
It provides a hint.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in #9250

try {
AuthenticationContext authenticationContext = jwtValidator.authenticate(apiKey, synCtx, openAPI);
APISecurityUtils.setAuthenticationContext(synCtx, authenticationContext, securityContextHeader);
log.debug("User is authorized using JWT token to access the resource.");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

improve the debug log by appending specific information such as user etc

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in #9250

wso2-jenkins-bot added a commit that referenced this pull request Dec 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants