Skip to content

Allow JWT validation failures when not enforcing JWTs #390

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vishalegbert-ttd merged 4 commits into from
Feb 27, 2025
Merged

Allow JWT validation failures when not enforcing JWTs #390

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
15ad4a3
Allow JWT validation failures when not enforcing JWTs
vishalegbert-ttd Feb 27, 2025
62da825
[CI Pipeline] Released Snapshot version: 8.1.16-alpha-198-SNAPSHOT
Feb 27, 2025
25743fb
Add log
vishalegbert-ttd Feb 27, 2025
467a2b7
Revert pom
vishalegbert-ttd Feb 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@

<groupId>com.uid2</groupId>
<artifactId>uid2-shared</artifactId>
<version>8.1.15</version>
<version>8.1.16-alpha-198-SNAPSHOT</version>
<name>${project.groupId}:${project.artifactId}</name>
<description>Library for all the shared uid2 operations</description>
<url>https://github.com/IABTechLab/uid2docs</url>
Expand Down
17 changes: 11 additions & 6 deletions src/main/java/com/uid2/shared/middleware/AttestationMiddleware.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ private static class AttestationHandler {

public void handle(RoutingContext rc) {
boolean success = false;
boolean isJwtValid = false;

final IAuthorizable profile = AuthMiddleware.getAuthClient(rc);
if (profile instanceof OperatorKey) {
Expand All @@ -85,32 +86,36 @@ public void handle(RoutingContext rc) {
if (jwt != null && !jwt.isBlank()) {
try {
JwtValidationResponse response = jwtService.validateJwt(jwt, this.jwtAudience, this.jwtIssuer);
success = response.getIsValid();
if (success) {
isJwtValid = response.getIsValid();
if (isJwtValid) {
if (!this.roleBasedJwtClaimValidator.hasRequiredRoles(response)) {
success = false;
isJwtValid = false;
LOGGER.info("JWT missing required role. Required roles: {}, JWT Presented Roles: {}, SiteId: {}, Name: {}, Contact: {}", this.roleBasedJwtClaimValidator.getRequiredRoles(), response.getRoles(), operatorKey.getSiteId(), operatorKey.getName(), operatorKey.getContact());
}

String subject = calculateSubject(operatorKey);
if (!validateSubject(response, subject)) {
success = false;
isJwtValid = false;
LOGGER.info("JWT failed validation of Subject. JWT Presented Roles: {}, SiteId: {}, Name: {}, Contact: {}, JWT Subject: {}, Operator Subject: {}", response.getRoles(), operatorKey.getSiteId(), operatorKey.getName(), operatorKey.getContact(), response.getSubject(), subject);
}
}
} catch (JwtService.ValidationException e) {
LOGGER.info("Error validating JWT. Attestation validation failed. SiteId: {}, Name: {}, Contact: {}. Error: {}", operatorKey.getSiteId(), operatorKey.getName(), operatorKey.getContact(), e);
success = false;
}
} else {
if (this.enforceJwt) {
LOGGER.info("JWT is required, but was not received. Attestation validation failed. SiteId: {}, Name: {}, Contact: {}", operatorKey.getSiteId(), operatorKey.getName(), operatorKey.getContact());
success = false;
}
}
}
}

if (!isJwtValid && this.enforceJwt) {
success = false;
} else if (!isJwtValid && !this.enforceJwt) {
LOGGER.info("JWT validation has failed, but JWTs are not being enforced.");
}

if (success) {
next.handle(rc);
} else {
Expand Down