Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
8.0.0-M2
-
None
-
None
Description
The Specification of MicroProfile JWT RBAC requests that an issuer claim must be present in the token and valid. But TomEE is in the tested version 8.0.0-M2 not compliant with respect to MP.
The specification says exactly:
"The mp.jwt.verify.issuer config property allows for the expected value of the iss claim to be specified. A MicroProfile JWT implementation must verify the iss claim of incoming JWTs is present and matches the configured value of mp.jwt.verify.issuer."
TomEE, however, accepts any issuer in the token if it is not specified in its configuration.
The test environment is the demo (as attached to this issue), which can be created at https://start.microprofile.io with MicroProfile Version MP 2.0, Apache TomEE 8.0.0-M2 as the MP-server and JWT Auth from the Examples for specifications, in order to create a request with JWT in its header. With this setup, there is no accepted issuer configured, but any issuer can be defined in the JWTClient-class and the request is still successful.