[bugfix] Try Downgrading JWT libraries as a short term fix for JWT Token Verification Issue: Public Key Size Limitation #114
Comments
akhilkh2000
added a commit
that referenced
this issue
Apr 20, 2024
10 tasks
MehulKChaudhari
pushed a commit
to MehulKChaudhari/skill-tree-backend
that referenced
this issue
May 9, 2024
…Public Key Size limitation issue (Real-Dev-Squad#115)
prakashchoudhary07
added a commit
that referenced
this issue
May 22, 2024
* added workflow to deploy to ecs * add aws region * add env * fix secret variable name * fix dockerfile path * make mvn executable * fix path dockerfile * fix target path * fix: cluster same * login docker seprately * update aws region * add new cluster * fix cluster name * change cluster name * fix secrets * add workflow file * add env while building * fix image name * add image repo URI in secrets * fix dockerfile path * add workflow file * fix CI to run push * temp: fix to check if deployment works * add deploy to ec2 back * fix ECR public login * fix ECR public URI * fix ecr login command * fix login command * fix dockerfile * fix docker push command * fix tag and push * fix ecr login * fix aws login * fix aws region * fix ecr-public login region * deploy to ec2 * Update deploy-to-ec2.yml * check UI is working or not * fix: broken change * change the action runner * change branch for testing. * instead of script add steps * update readme and tokens for integration test (#104) * update readme * Update README.md Co-authored-by: Satyam Bajpai <[email protected]> * Update README.md Co-authored-by: Satyam Bajpai <[email protected]> * Update README.md Co-authored-by: Satyam Bajpai <[email protected]> * update auth link * update tokens * format code * update public key * update public key * update tokens * fix readme * Update README.md Co-authored-by: Akhil Khubchandani <[email protected]> * address review comments --------- Co-authored-by: Satyam Bajpai <[email protected]> Co-authored-by: Akhil Khubchandani <[email protected]> * (#114)-Downgrading JWT Libraries as short-term fix for Public Key Size limitation issue (#115) * Adding integration tests for endorsement service (#107) * Added integration tests for endorsement service * Added test suite for integration tests * testing separation of unit and integration ci and pomxml * Addressed review comments and added build step in CI * Fix API contract and added pagination assertions to integration tests * Fixing typos and addressing review comments * Addressed review comments * Addressed review comments * Addressed review comments --------- Co-authored-by: akhil <[email protected]> * added implementation for V1 search endorsements based on dummy data * Enabled Unit and Integration tests, Auth whitelist for /v1/endorsements * Formatting fixed * Put dummyData implementation behind dummyData=true feature flag, old flow kept intact, tests updated * formatting fixed * pass public key as env variable * fix: remove extra space * add api v1 prefix and data source version * fix: command format * fix: remove extra env * fix: change branch name --------- Co-authored-by: Achintya Chatterjee <[email protected]> Co-authored-by: Prakash Choudhary <[email protected]> Co-authored-by: Amit Prakash <[email protected]> Co-authored-by: Bhavika Tibrewal <[email protected]> Co-authored-by: Satyam Bajpai <[email protected]> Co-authored-by: Akhil Khubchandani <[email protected]> Co-authored-by: Chethan <[email protected]> Co-authored-by: akhil <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue Description
In skill-tree backend, we use the io.jsonwebtoken/jjwt-api (version 0.11.2) package for verifying jwt tokens which does not allow 1024-bit public keys to be used (in line with the RFC) which is why we are unable to verify the token generated by “website-backend”.
Will try downgrading the package to a lower version which supports 1024 bit keys
More details - https://docs.google.com/document/d/1LGR3aXfj91dub4ZZaFY4oAVMZLliZZ3hmDPDcfFGYjo/edit
Expected Behavior
After downgrading the packages, the Auth protected API's should start working with the token generated using the public key used in website-backend (1024 bits)
Current Behavior
Verificiation of the token fails, as 1024 bit public keys are not supported by the JWT package used in skill-tree (this is in line with the latest RFC)
Screenshots
(io.jsonwebtoken.security.WeakKeyException)
Reproducibility
Steps to Reproduce
{ "message": "The access token provided is expired, revoked, malformed, or invalid for other reasons." }You can also verify the public key size exception (io.jsonwebtoken.security.WeakKeyException) message by checking the logs of the environment you are testing in.
Severity/Priority
Additional Information
Checklist
The text was updated successfully, but these errors were encountered: