JWT validation logs no error #9251
Comments
|
Is it for you @sberyozkin? |
|
Hi @FroMage
Oh dear :-). This must be fixed :-). We'll have a look, cheers |
|
Thanks a lot :) |
|
@sberyozkin is this still an issue? |
|
@stuartwdouglas yes, I'll resolve it with the update to smallrye-jwt |
|
@FroMage Hi Stephane, so |
|
OK great, thanks! |
I tried to reproduce the JWT guide but inadvertantly got a space in my config:
Do you see it? Me neither. It got there while copy pasting it from https://quarkus.io/guides/security-jwt#setting-up-application-properties
As a result, no amount of fiddling on my part with passing a JWT token on my test led to anything than a 401. I lost hours assuming I generated my token wrong, and only after launching the debugger did I realise that it was validation that was bogus.
MpJwtValidatorwill catch the exception and forward it up in theUni, but there were zero logs shown.In my opinion, when configuration is wrong, which is the case here, because it's pointing at a file that does not exist (not with the space), we should get a SUPER VISIBLE error logged, because it's not the token that is wrong. It's the server config.
Note that I did get a second validation error once I fixed that, because
mp.jwt.verify.issueralso had a space at the end. Now, as it turns out, unless it's meant to be a valid URI (spec says string or URI, so we can't validate), we can't verify that one because the space is a valid value, but it makes no sense at all.I'd argue that we should just trim those property values to avoid surprises like those, especially if they don't result in logs.
And last, I suggest we add a logging property to JWT to log all token validation failures with the reason they failed. This is super useful for dev.
So, to recap:
mp.jwt.verify.publickey.locationand log if it does not existquarkus.smallrye-jwt.log.claims.invalidto log all invalid claims on INFO with why they were invalid.The text was updated successfully, but these errors were encountered: