Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update and clarify JWT docs #6964

Closed
dmuelle opened this issue Oct 11, 2023 · 5 comments · Fixed by #7028
Closed

Update and clarify JWT docs #6964

dmuelle opened this issue Oct 11, 2023 · 5 comments · Fixed by #7028
Assignees
@dmuelle
Labels
doc bug Something isn't working. peer reviewed technical reviewed An SME reviewed and approved the documentation from a technical perspective.
Milestone
23.0.0.11

Comments

@dmuelle
Copy link
Member

dmuelle commented Oct 11, 2023

for security defect OpenLiberty/open-liberty#26453

Clarify the expiresInSeconds attribute in jwtBuilder defaults to the value of the expiry attribute if expiresInSeconds is set to a negative value.
Using the configured keystore/key alias to generate a consistent JWK
If customers want keys to be consistent across Liberty servers and/or across server reboots, they can configure the keyStoreRef and keyAlias attributes to point to a specific keypair. The default JWK endpoint provided by Liberty (https://<host_name>:<ssl_port>/jwt/ibm/api/<jwtBuilder_configuration_id>/jwk) will still produce a JWK document but will use the public key pointed to by those configuration attributes to create a JWK representation of the key to send back.
JWK creation and rotation
The keys get recalculated/rotated every 12 hours by default in the case jwkEnabled="true".
The keys get generated when creating the token, or when the JWK endpoint is invoked (whichever happens first).
The same keys are used for all tokens created by the same JWT builder.
Clarify kid usage
@dmuelle dmuelle added this to the 23.0.0.10 milestone Oct 11, 2023
@dmuelle dmuelle self-assigned this Oct 11, 2023
@dmuelle dmuelle added the doc bug Something isn't working. label Oct 11, 2023
@dmuelle dmuelle mentioned this issue Oct 11, 2023
Merged
@dmuelle dmuelle modified the milestones: 23.0.0.10, 23.0.0.11 Oct 12, 2023
dmuelle added a commit that referenced this issue Oct 24, 2023
@dmuelle
edtis
8f67cf2 
#6964
@dmuelle dmuelle mentioned this issue Oct 24, 2023
Merged
dmuelle added a commit that referenced this issue Oct 24, 2023
@dmuelle
add link
e7d0691 
#6964
This was referenced Oct 24, 2023
Merged
Merged
dmuelle added a commit that referenced this issue Oct 25, 2023
@dmuelle
edits
03417bb 
#6964
@dmuelle dmuelle mentioned this issue Oct 25, 2023
Merged
@dmuelle
Copy link
Member Author

dmuelle commented Oct 25, 2023

Hi @ayoho - the updated draft is ready for review when you have a chance

https://docs-draft-openlibertyio.mqj6zf7jocq.us-south.codeengine.appdomain.cloud/docs/latest/json-web-token.html

Let me know what edits are needed. One question I have is whether dynamically produced JWKs produce JWKS doc. The way the topic is structured now its unclear.

@dmuelle dmuelle added the technical reviewed An SME reviewed and approved the documentation from a technical perspective. label Oct 25, 2023
@ramkumar-k-9286
Copy link
Contributor

Peer Review

Therefore, when you set jwkEnabled to true, any keyStoreRef and keyAlias attributes that are specified in the jwtBuilder element are ignored, as shown in the following example:
->
Therefore, when you set jwkEnabled attribute to true, any keyStoreRef and keyAlias attributes that are specified in the jwtBuilder element are ignored, as shown in the following example:

Q: from what I understood keyStoreRef and keyAlias are both attributes and that's why its mentioned once afterkeyAlias

In this example, the keyStoreRef and keyAlias values are ignored and the dynamically generated JWKs are used instead.
->
In this example, the keyStoreRef and keyAlias attribute values are ignored and the dynamically generated JWKs are used instead.

JWT consumers can retrieve JSON Web Key Set (JWKS) documents to reconstruct public keys to verify token signatures.
->
JWT consumers can retrieve JSON Web Key Set (JWKS) documents to reconstruct public keys and verify token signatures.

To configure Open Liberty to verify token signatures with JWKs, set the jwkEnabled attribute in the jwtConsumer element to true. Also, you must set the jwkEndpointUrl attribute to a URI that provides the JWKS document that contains the public keys to verify the signatures of the tokens that received by this JWT consumer.
->
To configure Open Liberty to verify token signatures with JWKs, set the jwkEnabled attribute in the jwtConsumer element to true. Also, you must set the jwkEndpointUrl attribute to a URI that provides the JWKS document containing the public keys to verify the signatures of the tokens received by this JWT consumer.

dmuelle added a commit that referenced this issue Oct 26, 2023
@dmuelle
edits per peer review
0ac2061 
#6964
@dmuelle dmuelle mentioned this issue Oct 26, 2023
Merged
@dmuelle
Copy link
Member Author

dmuelle commented Oct 26, 2023

Thanks @ramkumar-k-9286, all suggestions implemented

@ramkumar-k-9286
Copy link
Contributor

@dmuelle

One thing I just noticed. Under See also

JSON Web Token feature
->
JSON Web Token feature

@dmuelle dmuelle mentioned this issue Nov 1, 2023
Merged
@dmuelle
Copy link
Member Author

dmuelle commented Nov 1, 2023

thanks, fixed

@dmuelle dmuelle mentioned this issue Nov 3, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dmuelle dmuelle

Labels
doc bug Something isn't working. peer reviewed technical reviewed An SME reviewed and approved the documentation from a technical perspective.
Projects
None yet
Milestone
23.0.0.11
Development

Successfully merging a pull request may close this issue.

staging to vNExt 23.0.0.11 issues OpenLiberty/docs
2 participants
@dmuelle @ramkumar-k-9286