elytron JWT introspection endpoint

[Goran Sustek]

I notice that during JWT introspection for only one request the endpoint is called two times for!!! Does anybody know why is that and how to prevent that.

log:

[0m [32m09:03:52,808 DEBUG [io.undertow.request] (default I/O-2) Matched prefix path /api for path /api/hello [0m09:03:52,808 TRACE [org.wildfly.security.http.servlet] (default task-1) Created ServletSecurityContextImpl enableJapi=true, integratedJaspi=true, applicationContext=default-host /api [0m [32m09:03:52,808 DEBUG [io.undertow.request.security] (default task-1) Security constraints for request /api/hello are [SingleConstraintMatch{emptyRoleSemantic=PERMIT, requiredRoles=[]}] [0m09:03:52,808 TRACE [org.wildfly.security.http.servlet] (default task-1) No AuthConfigProvider for layer=HttpServlet, appContext=default-host /api [0m09:03:52,809 TRACE [org.wildfly.security.http.servlet] (default task-1) JASPIC Unavailable, using HTTP authentication. [0m09:03:52,809 TRACE [org.wildfly.security] (default task-1) No CachedIdentity to restore. [0m09:03:52,809 TRACE [org.wildfly.security] (default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1@39d896cc] for mechanism [BEARER_TOKEN] [0m09:03:52,809 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='BEARER_TOKEN' host-name='eap-app-dreq-sso.apps.dev-pg.clusters.adcubum.com' protocol='http' [0m09:03:52,809 TRACE [org.wildfly.security] (default task-1) Evidence verification: evidence = org.wildfly.security.evidence.BearerTokenEvidence@56fced18 evidencePrincipal = null [0m [32m09:03:52,809 DEBUG [org.wildfly.security] (default task-1) Opening connection to token introspection endpoint [http://rhsso-application-adcubum-syrius.dreq-sso.svc.cluster.local:8080/auth/realms/adcubum-syrius/protocol/openid-connect/token/introspect] [0m [32m09:03:52,825 DEBUG [org.wildfly.security] (default task-1) Opening connection to token introspection endpoint [http://rhsso-application-adcubum-syrius.dreq-sso.svc.cluster.local:8080/auth/realms/adcubum-syrius/protocol/openid-connect/token/introspect] [0m09:03:52,827 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [f1testuser] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles [] [0m09:03:52,828 TRACE [org.wildfly.security] (default task-1) Authorizing principal f1testuser. [0m09:03:52,829 TRACE [org.wildfly.security] (default task-1) Authorizing against the following attributes: [sub, email_verified, allowed-origins, iss, active, typ, Roles, preferred_username, client_id, aud, acr, realm_access, azp, scope, exp, session_state, iat, jti, username] => [46f5706a-e3c3-401f-8881-6b31c432a95f, false, http://app1.dreq-sso.apps.dev-pg.clusters.adcubum.com, http://syrius-erp-application-server.dreq-sso.apps.dev-pg.clusters.adcubum.com, http://syrius-erp-presentation-server.dreq-sso.apps.dev-pg.clusters.adcubum.com, http://sso-adcubum-syrius.dreq-sso.apps.dev-pg.clusters.adcubum.com/auth/realms/adcubum-syrius, true, Bearer, user, f1testuser, apigateway, apigateway, syrius-erp-presentation-server-oauth2-client, app1, syrius-erp-application-server-oauth2-client, syrius-demoapplication-fbi-bl, 1, {"roles":["user"]}, apigateway, email user profile, 1614701950, 1ff4309c-dba3-4e41-bd53-287a0b4a1697, 1614671950, 429c8d4c-db9d-4dec-acf2-a9643c62be23, f1testuser] [0m09:03:52,831 TRACE [org.wildfly.security] (default task-1) Permission mapping: identity [f1testuser] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true [0m09:03:52,831 TRACE [org.wildfly.security] (default task-1) Authorization succeed [0m09:03:52,831 TRACE [org.wildfly.security] (default task-1) Handling AuthorizeCallback: authenticationID = null authorizationID = null authorized = true [0m [32m09:03:52,831 DEBUG [org.wildfly.security.http.bearer] (default task-1) Token authentication successful. [0m09:03:52,831 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: succeed [0m09:03:52,831 TRACE [org.wildfly.security] (default task-1) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=f1testuser, securityDomain=org.wildfly.security.auth.server.SecurityDomain@4ddbe2bf, authorizationIdentity=org.wildfly.security.auth.realm.token.TokenSecurityRealm$TokenRealmIdentity$1@5da1cf01, realmInfo=RealmInfo{name='jwt-realm', securityRealm=org.wildfly.security.auth.realm.token.TokenSecurityRealm@61009232}, creationTime=2021-03-02T09:03:52.827Z} [0m09:03:52,832 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [f1testuser] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles [] [0m [32m09:03:52,832 DEBUG [io.undertow.request.security] (default task-1) Authenticated as f1testuser, roles [] [0m [32m09:

configuration:

/opt/eap/bin/jboss-cli.sh --connect 

/subsystem=elytron/token-realm=jwt-realm:add( principal-claim="preferred_username", oauth2-introspection={introspection-url=http://rhsso-application-adcubum-syrius.dreq-sso.svc.cluster.local:8080/auth/realms/adcubum-syrius/protocol/openid-connect/token/introspect, client-id=syrius-erp-application-server-oauth2-client, client-secret=5ced837d-d36d-46fa-bc22-db37afd43d27})

/subsystem=elytron/security-domain=jwt-domain:add(realms=[{realm=jwt-realm,role-decoder=groups-to-roles}], permission-mapper=default-permission-mapper, default-realm=jwt-realm)

/subsystem=elytron/http-authentication-factory=jwt-http-authentication:add(security-domain=jwt-domain, http-server-mechanism-factory=global, mechanism-configurations=[{mechanism-name="BEARER_TOKEN", mechanism-realm-configurations=[{realm-name="jwt-realm"}]}])

/subsystem=undertow/application-security-domain=jwt-domain:add(http-authentication-factory=jwt-http-authentication)

/subsystem=undertow:write-attribute(name=default-security-domain, value="jwt-domain")

shutdown --restart=true

[dvilkola]

Yes this is a bug, thank you for reporting it. It is now resolved, see issues https://issues.redhat.com/browse/WFCORE-5319 and  https://issues.redhat.com/browse/ELY-2104.