any extra steps to enable MP-JWT ? or to debug

86 views
Skip to first unread message

Mark Anderson

unread,
May 16, 2021, 10:03:17 PM5/16/21
to Payara Forum
I deployed a war which has a suitable embedded microprofile-config.properties which works in OpenLiberty. In payara-micro i see in the output:

[2021-05-16T18:40:51.130-0700] [] [INFO] [] [fish.payara.microprofile.jwtauth.RolesDeclarationInitializer] [tid: _ThreadID=1 _ThreadName=main] [timeMillis: 1621215651130] [levelValue: 800] Initializing MP-JWT 5.2021.3 for context '/my-service'

...

javax.ws.rs.NotAuthorizedException: Authentication not done (i.e. no JWT credential found)        at fish.payara.microprofile.jwtauth.jaxrs.RolesAllowedRequestFilter.filter(RolesAllowedRequestFilter.java:128)      at org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:108)

Even though I'm definitely sending an http request with a correct Authorization: Bearer ABCD..."

Is there something else that needs to be configured for it to enable picking the JWT out of the request?
Or to get further debug output to see what is going on?


Mark Anderson

unread,
May 17, 2021, 2:01:04 AM5/17/21
to Payara Forum
Just to follow-up on this, it seems that earlier in the output I had the following.

Caused by: java.lang.IllegalArgumentException: Illegal base64 character 2d
        at java.base/java.util.Base64$Decoder.decode0(Base64.java:743)
        at java.base/java.util.Base64$Decoder.decode(Base64.java:535)
        at java.base/java.util.Base64$Decoder.decode(Base64.java:558)
        at fish.payara.microprofile.jwtauth.eesecurity.JwtPublicKeyStore.parseJwks(JwtPublicKeyStore.java:270)
        at fish.payara.microprofile.jwtauth.eesecurity.JwtPublicKeyStore.createPublicKeyFromJWKS(JwtPublicKeyStore.java:247)
        at fish.payara.microprofile.jwtauth.eesecurity.JwtPublicKeyStore.createPublicKey(JwtPublicKeyStore.java:225)

and that in turn seems to be because i was inlining my public key pem directly into mp.jwt.verify.publickey=-----BEGIN PUBLIC KEY-----MIIBI....

because the character 2d is the hyphen I'm guessing the payara code base is perhaps confusing the fact
that PEM format uses tradition base64 while JWT uses base64url encoding and they differ in whether hyphen is allowed.

I switched to using mp.jwt.verify.publickey.location=/my.pem and that didn't work either, even though it is top of my classpath.
Finally this did work: mp.jwt.verify.publickey.location=my.pem

Reply all
Reply to author
Forward
0 new messages