I'm trying to make an endpoint where it's possible for the user to refresh an expired JWT token, but even though the api/auth/refresh route is not secured (has no @RolesAllowed or @Authenticated annotation) the Smallrye JWT still prevents the invalid token get to the resource to be refreshed.
@POSTMy authService service checks if this token has been refreshed for more than 2 weeks, if not, it refreshes the token, otherwise it returns 401 and the user will have to login again. The problem is that by the time the token is sent, even before falling into this method I showed, Smallrye already returns 401 direct, because the token is expired, I think if the route is public, it doesn't need to be logged in to access it, this shouldn't happen.
How could I make the refresh route allowing expired tokens correctly?
--
You received this message because you are subscribed to the Google Groups "SmallRye" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smallrye+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/smallrye/15395752-3cdf-4aa2-ab47-898100b5091bn%40googlegroups.com.
- https://quarkusio.zulipchat.com/#narrow/stream/187030-users/topic/SmallRye.20refresh.20an.20expired.20JWTHi again Sergey!Jeez, only you to help me! haha. I asked the same question in both Quarkus chat at Zulip and StackOverflow, and so far nothing.
Your tip to remove proactive authentication was the solution! Thank you very much!But now securityContext.getUserPrincipal() returns null, probably because token validation is no longer being performed, so I used the @HeaderParam("Authorization") annotation to get the encoded token in text.
To decode this token I then used io.smallrye.jwt.auth.principal.JWTParser, but it again throws the ParseException saying the token is no longer valid, which will always happen since i'm trying to refresh expired tokens.Then I tried using jose4j's JwtConsumerBuilder class and disable expiration validation, but this option does not exist, the only disabling methods are setSkipSignatureVerification(), setSkipAllValidators(), setSkipAllDefaultValidators(), setSkipVerificationKeyResolutionOnNone(), setSkipDefaultAudienceValidation(), none of them help me and if I disable all validation, then my system will accept spoofed tokens.For now, I'm using JwtConsumerBuilder().setAllowedClockSkewInSeconds(Integer.MAX_VALUE), so it won't say that the token is expired as there is no longer an expiration time limit, but it looks like a hack.
Do you think I should ask the library staff to include the option not to validate the expiration date for the library?
Thank you so much for everything! You were the only one who helped me so far!
To view this discussion on the web visit https://groups.google.com/d/msgid/smallrye/5e8b36ae-dc2c-41c2-9abd-4b809fac5106n%40googlegroups.com.