Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor: remove spring security jwt and use nimbus jose #2624

Merged
merged 25 commits into from
Jan 11, 2024
Merged

Refactor: remove spring security jwt and use nimbus jose #2624

merged 25 commits into from
Jan 11, 2024

Conversation

strehle
Copy link
Member

@strehle strehle commented Nov 28, 2023
edited
Loading

Intro:
UAA uses https://github.com/spring-attic/spring-security-oauth
See #2560 , we need to replace it

Replacement with library com.nimbusds:nimbus-jose-jwt see https://github.com/cloudfoundry/uaa/blob/develop/dependencies.gradle#L125
Nimbus in use already for some fixes in past...
Details :
https://connect2id.com/products/nimbus-jose-jwt

There are some incompatibilities with this replacement

  • HMAC signature

    • key type was in UAA always MAC, but standard needs oct. Added workaround in JWK creation
    • key length . The key size must fit to algorithm, e.g. HS256 needs 32 bit key length. Created UaaMacSigner fork to allow old keys
    • JWS header parser. x5c and jwk header had wrong type, use now generic object, because we dont need the keys but we need to parse the header

  • RSA signature

    • for small keys (<2KB) there is a deprecated allow option. Added this to have currently support for old keys. Need to have a solution in general.

  • JWS header processing

  • JWT header was not processed as expected, means a JW header with alg HS256 was verified internally with a RSA key. So signature validation was done on internal configured key and the header from JWT was not really checked. If this happed in past then this is a severe security issue which cannot happen with nimbus. Mentioned it only for completeness

Good news.
UAA allows now ESxxx signature family. The spring library had only support for validation of ES, now we can sign and verify all specified JWS signing algorithms!!!

@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/186569273

The labels on this github issue will be updated when the story is started.

@strehle strehle added DO NOT MERGE Internal Test or WIP, please DO NOT MERGE and removed unscheduled labels Nov 28, 2023
@strehle strehle linked an issue Nov 28, 2023 that may be closed by this pull request
Spring Security Jwt End of Life #2229
Closed
@strehle strehle added this to the EOL_Removal milestone Nov 28, 2023
strehle added 10 commits November 28, 2023 21:21
@strehle
fixes from non OIDC standard tests
f76d255 
main issue. audience is empty in same cases
tests correct where HS256 can be used to create RS256 signature
HMAC key length corrected
@strehle
Merge branch 'fix/tokenNonStandard' into eol/replaceSpringJwt
20d6831 
# Conflicts:
#	uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenMvcMockTests.java
@strehle
refactoring token to claim parser
a105e63 
Add a legacy signature check for HMAC
@strehle
Merge remote-tracking branch 'origin/develop' into eol/replaceSpringJwt
affc0cc
@strehle
test fix
5d7c941
@strehle
test fixes
96b1cc1
@strehle
sonar fixes
4897c98
@strehle
Merge branch 'develop' of github.com:cloudfoundry/uaa into eol/replac…
6cdf61f 
…eSpringJwt
@strehle
sonar refactorings
f6bed5b
@strehle
Merge branch 'develop' of github.com:cloudfoundry/uaa into eol/replac…
8685f62 
…eSpringJwt
@strehle strehle mentioned this pull request Dec 1, 2023
Closed
@strehle strehle added in_review The PR is currently in review and removed DO NOT MERGE Internal Test or WIP, please DO NOT MERGE labels Dec 1, 2023
@strehle strehle requested a review from a team December 1, 2023 09:01
@Tallicia
Copy link
Contributor

Will this be updated soon to address the merge conflicts?

@strehle
Copy link
Member Author

strehle commented Dec 15, 2023

Will this be updated soon to address the merge conflicts?

Do you see a merge conflict in this PR?

@strehle strehle added this to the EOL_Removal milestone Dec 21, 2023
@strehle strehle requested a review from hsinn0 December 21, 2023 20:15
@strehle strehle removed the in_review The PR is currently in review label Dec 22, 2023
@strehle strehle assigned strehle and unassigned Tallicia Dec 22, 2023
@strehle strehle mentioned this pull request Jan 8, 2024
Closed
Tallicia
Tallicia approved these changes Jan 8, 2024
View reviewed changes
Copy link
Contributor

@Tallicia Tallicia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is quite the PR, In the future if possible to reduce this to smaller segments, that would be fantastic. Though I spent a considerable amount of time, I could have easily spent three times as much to deeply scrutinize, I left comments, and are more for refactoring options following this PR than required as part of this PR.

Overall this is approved, It was good a large majority was duplicated updates and changes and many removals, though the additions require significant deep dives, which I do not feel I completely dove all the way through, but trust based on what I saw and the tests, it was meeting desired objectives.

@Tallicia Tallicia added in progress accepted Accepted the issue labels Jan 8, 2024
Tallicia
Tallicia reviewed Jan 9, 2024
View reviewed changes
model/src/main/java/org/cloudfoundry/identity/uaa/util/UaaStringUtils.java
@@ -49,6 +49,8 @@ public final class UaaStringUtils {

public static final String EMPTY_STRING = "";

public static final String DEFAULT_UAA_URL = "http://localhost:8080/uaa";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, that is a step in the right direction. Following this PR, the port should be defaulted to 8080 with the capability to override.

Tallicia
Tallicia approved these changes Jan 9, 2024
View reviewed changes
Copy link
Contributor

@Tallicia Tallicia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

@Tallicia
Copy link
Contributor

Tallicia commented Jan 9, 2024

@strehle The PR is indicating "This branch cannot be rebased due to conflicts" Are you planning to rebase to address whatever conflicts github is referring to?

@strehle
Copy link
Member Author

strehle commented Jan 10, 2024

@strehle The PR is indicating "This branch cannot be rebased due to conflicts" Are you planning to rebase to address whatever conflicts github is referring to?

yes, I would like to release soon (after our meeting) whithout this PR and then I merge and work on further refactorings . .... because of our pipeline hickups I waited here

@strehle strehle merged commit f5c3890 into develop Jan 11, 2024
20 checks passed
@strehle strehle deleted the eol/replaceSpringJwt branch January 11, 2024 22:04
@cf-gitbot cf-gitbot removed in progress accepted Accepted the issue labels Jan 11, 2024
@strehle strehle removed a link to an issue Jan 12, 2024
Spring Security Jwt End of Life #2229
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Tallicia Tallicia Tallicia approved these changes

@tack-sap tack-sap tack-sap approved these changes

@hsinn0 hsinn0 hsinn0 approved these changes

@peterhaochen47 peterhaochen47 Awaiting requested review from peterhaochen47

Assignees

@strehle strehle

Labels
None yet
Projects
Foundational Infrastructure Working Group
Archived in project
Milestone
EOL_Removal
Development

Successfully merging this pull request may close these issues.
5 participants
@strehle @cf-gitbot @Tallicia @tack-sap @hsinn0