-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TCK Challenge: Tests using URL location make a too restrictive assumption #118
Comments
+1 |
My understanding on the spec is that the first load / key validation needs to happen at deploy time. From the spec: MicroProfile JWT implementations are required to throw a It doesn't make sense to throw a DeploymentException if you load the key after the application is deployed. Anyway, on TomEE we have the same issue. If the key is part of the deployment, we are unable to reach an endpoint before the application is completely deployed. After that point, as I said, it doesn't make sense to throw a DeploymentException. Also, I believe on a proper usage scenario, you will not be exposing the JWK Key on the same application that needs it. So, on the TCK, I think we can easily fix this by adding another Arquillian deployment to expose the key and have the main deployment call it to run the test. Here is how we have done it: I'm happy to submit a PR to the TCK to achieve the same result. |
Yes, agreed. @radcortez Sure, create a PR to fix the test. |
@radcortez Hey Roberto, so please do this PR :-) |
Ops, sorry. I guess I've forgotten about this. I'll put this on my priority list :) |
…om a URL. Signed-off-by: Roberto Cortez <[email protected]>
Ok, here is a fix for it: On the other hand, I've started to think about this and I'm not completely sure if this should be the right behaviour from a spec point of view. While it makes sense to load, validate the key if you have the key locally (file, classpath, etc) and fail the deployment if we are not able to validate, I'm not so sure about this when you load the key from an external resource. It just means that we are adding a hard dependency to the external service on your application startup (it may be down when the application is starting, but up when it actually needs the key). Plus, since there is no definition on when the key should be loaded (implementation can choose), if you defer to be loaded when you actually needed, it doesn't make sense to fail with a DeploymentException. Maybe the spec should be clarified and specify that implementors can choose when the key is loaded. If it is loaded at the application startup and fails validation you throw DeploymentException. If loaded on demand (or after application startup) it fails with some other exception? |
Although the key is only required when validation is required, checking the 'store' at deployment make sense, even if it is an external resource. When application is deployed, it is ready to accept requests and thus key needs to be accessible for validation. So early check is better |
@radcortez @rdebusscher IMHO it should be left up to the given container at what point the external key is available. Given the concerns of the hard dependency expressed by Roberto. We had to add a connection timeout in Quarkus for the OIDC adapter to wait till the OIDC server is up and I would like to avoid
Sounds good to me. |
@rdebusscher It highly depends on your system. I think we cannot make that assumption. Just because I'm deploying an application it doesn't mean I'll be receiving request a few fractions of a seconds later. I could be starting nodes to warm them up and I can have rules to enforce dependencies once I'm ready to receive requests and add the app to a load balancer / expose to the actual clients. What about endpoints that don't require JWT at all? I'm failing my entire deployment and have nothing available because there might be a network glitch and I'm unable to reach my OIDC server. @sberyozkin I like the |
So far the myth of microServices which are independent. The UnresolvableKeyException is then the only option. |
Hi @rdebusscher I'd like to clarify that there is no way I'm going to push our own implementation agenda no matter what, I'll try my best anyway :-) and I look forward to discussing the issues with yourself and others.. Thanks all |
+1 |
If there is a need from the users that failure should only be reported when the endpoints are used, that we should allow for it. But deployment failure is much easier to diagnose and act upon than an exception for a user request which returns a 401 (and is lost in the logs). So basically, users are then shifting their problems to the end-users. |
@rdebusscher A case of the bad log management is not a good reason IMHO not to support the dynamic key acquisition. IMHO there is a good compromise which is being proposed which also works for some key sets which are dynamic in nature |
BTW, my proposal was to throw the exception Yes, I know this might be not the correct behaviour, since 4xx codes are usually things that the user got wrong and can correct with a new request. On the other hand, if we think about a user getting wrong credentials, there is nothing he can do to fix the issue, other than having support from the app team. In this case, is similar. |
Hey, in the end of the day there is a very practical issue is that the HTTPs based location may only be available few seconds later after the MP JWT server starts, and IMHO we just should not introduce this uncertainty into the spec. I appreciate @rdebusscher's concern, but we can try to figure out how to make things obvious. Perhaps indeed for 2.0 we just always throw I'll create a separate issue for |
Sure. |
…om a URL. Signed-off-by: Roberto Cortez <[email protected]>
What about removing the TCK tests I mentioned, and just leave this decision to the implementation? If you still want to use an URL to retrieve the keys, could you please handle it using WireMock or some other way that would be part of the TCK harness? |
Tests
Make an assumption that the application is deployed at the time the JWT handling is configured.
If an implementation configures the JWT Auth handling at startup (as we do) and the key is not available at that time, the startup fails and the application never gets deployed.
The specification does not define WHEN the URL should be reached, whether it can/should be cached etc., so the implementation may choose.
As we follow the "fail fast" principle, we fail if the configuration cannot be completed, thus never deploying the application. As a result these TCK tests cannot be executed, even though the implementation is valid and according to the specification.
The text was updated successfully, but these errors were encountered: