Generate RSA-256 keys on dev mode #44272

mcruzdev · 2024-11-02T20:39:25Z

Description

This PR aims to add on DEV mode, to generate a RSA-256 pair key.

It is great for development and test environments, the user just need to set two 3 config properties:

smallrye.jwt.sign.key.location=privateKey.pem
mp.jwt.verify.publickey.location=publicKey.pem
quarkus.smallrye-jwt.generate-sign-keys=true

Status: In progress

Add tests
Add documentation
Improve javadoc
Self review

quarkus-bot · 2024-11-02T20:39:28Z

Thanks for your pull request!

Your pull request does not follow our editorial rules. Could you have a look?

title should preferably start with an uppercase character (if it makes sense!)

_{This message is automatically generated by a bot.}

sberyozkin · 2024-11-03T12:37:40Z

Hey @mcruzdev Thanks for giving it a try, indeed, we'd like to make it easy for quarkus-smalrye-jwt developers to start in devmode...

But what should really be done is that none of those properties should be required in devmode, no any temporary files should be created...

If mp.jwt.verify.publickey is not configured (or any other verification key properties - I can cover this part later), and no smallrye.jwt.sign.key is not configured (or any other signing key properties - I can also cover this part later) then the quarkus-smallrye-jwt devservice build step should generate an RSA key pair, and set those 2 properties to the encoded key values.

The code which will generate tokens using the published private key smallrye.jwt.sign.key has to be written by the user as only the user knows what claims should be added to the token, using a no-arg sign() and we'll also do something interactive in DevUI later as well. but the very first step is to have this key pair accessible via those 2 properties.

@michalvavrik, do you recall which build item can be used to report build time properties ? (smallrye-jwt ones related to keys are currently build time only...)

michalvavrik · 2024-11-03T13:01:45Z

@michalvavrik, do you recall which build item can be used to report build time properties ? (smallrye-jwt ones related to keys are currently build time only...)

If this https://github.com/smallrye/smallrye-jwt/blob/74638c415a0096e1916363e51571e6ed4aecf8d2/implementation/jwt-auth/src/main/java/io/smallrye/jwt/config/JWTAuthContextInfoProvider.java#L219 is the only place where this property is used, then I'd expect returning them from DevServicesResultBuildItem should work. However if you are certain they are build-time properties then I think you need to define your own SmallRye Config source, or maybe use customizer as is done here (but make sure nothing happens when it is not a DEV mode) https://github.com/quarkusio/quarkus/blob/main/core/deployment/src/main/java/io/quarkus/deployment/configuration/BuildTimeConfigBuilderCustomizer.java.

mcruzdev · 2024-11-03T14:33:29Z

Hi @sberyozkin, was necessary to get the properties (*.location) from the user, because I do not know how to change configuration values on build time, I think that config is read-only. I will try the customizer here.

mcruzdev · 2024-11-03T18:57:20Z

Thank you, it works! Now I will continue here...

github-actions · 2024-11-03T20:15:03Z

🎊 PR Preview 98942f6 has been successfully built and deployed to https://quarkus-pr-main-44272-preview.surge.sh/version/main/guides/

Images of blog posts older than 3 months are not available.
Newsletters older than 3 months are not available.

docs/src/main/asciidoc/security-jwt.adoc

.../deployment/src/main/java/io/quarkus/smallrye/jwt/deployment/SmallRyeJwtBuildTimeConfig.java

...ye-jwt/deployment/src/main/java/io/quarkus/smallrye/jwt/deployment/SmallRyeJwtProcessor.java

...-jwt/deployment/src/test/java/io/quarkus/jwt/test/devmode/KeyPairOutOfTheBoxDevModeTest.java

sberyozkin · 2024-11-03T22:21:15Z

Thanks @mcruzdev, IMHO it will be a nice addition, I've left a few comments, but it all is going well, thanks for the effort, and please take your time to address the comments

cescoffier · 2024-11-13T16:34:31Z

...deployment/src/main/java/io/quarkus/smallrye/jwt/deployment/SmallryeJwtDevModeProcessor.java

+
+    private static String getStringKey(Key key) {
+        return Base64.getEncoder()
+                .encodeToString(key.getEncoded());


I don't know that part of the codebase, but is this intended to be a PEM format?
RSA Key needs to use PKCS#1 format.

Hi @cescoffier It is intended to be a PEM format. mp.jwt.verify.publickey uses it, see here.

EDIT: intended to be a base64 encoded key

ok, this is NOT PEM format :-) This is just a base64 encoded key.
If you want PEM format you need the header and footer explaining what's the content (RSA KEY, PRIVATE KEY ...)

cescoffier · 2024-11-14T06:20:43Z

I agree with @FroMage about generating a proper PEM file (Be aware, this is a trap) in the output directory (target or build) so it can be reused between runs and used for both test and dev.

Now, generating a proper PEM file can be tricky because there are several formats: PKCS#1, PKCS#8, PKCS#7., SEC1 (EC)... Also, I learned that PKCS#8 can be encrypted. In this case, I would just pick one (but the runtime would need to support most of them, if not all)

sberyozkin · 2024-11-22T14:31:00Z

Hi @FroMage

But this is for DEV mode and test mode, most people spend time in DEV or test mode than the DEV UI. If they're using cookies (and any web application will use cookies), this will affect them.

Well, our plan is to offer a DevUI support for quarkus-smallrye-jwt users be able to interactively create signed JWTs, and having PEM files generated on the disk and have them staying around after the server is shutdown is unnecessary.
It probably won't even work if we go to the remote DevUI option again...

Also, while quarkus-smallrye-jwt can verify tokens provided as cookie values, most of its cases are about bearer access token verification where a token is generated and submitted - these cases would be supported in dev and test modes.

You say users spent most of their time in devmode, but in devmode one does not cold-stop the server, usually we do it if something goes wrong with the live coding. What is the scenario that you have in mind where a server is cold-stopped when the authenticated user is around ?
These users would get Can't access the server error while the server is down then, which is not a good UX. Having to re-login occasionally (rarely in devmode as cold-stopping the server in devmode should be rare) is the normal operational flow.

mcruzdev · 2024-12-18T21:57:15Z

@FroMage, @sberyozkin any update about this one? We have a direction to follow?

FroMage · 2024-12-19T09:59:56Z

Just rebase on the latest quarkus main and this will pass.

mcruzdev · 2025-01-03T14:34:30Z

Works @FroMage, TY!

FroMage

LGTM, although I'd still prefer this would be stored in a file to survive restarts 🤷

sberyozkin · 2025-01-27T22:12:18Z

I'll try to test this PR soon, thanks @mcruzdev

mcruzdev · 2025-02-03T22:56:53Z

I'll try to test this PR soon, thanks @mcruzdev

Perfect @sberyozkin, I am excited to continue the improvement on devx :)

quarkus-bot · 2025-02-17T15:57:54Z

Status for workflow `Quarkus Documentation CI`

This is the status report for running Quarkus Documentation CI on commit 51d2494.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

Warning

There are other workflow runs running, you probably need to wait for their status before merging.

quarkus-bot · 2025-02-17T18:10:57Z

Status for workflow `Quarkus CI`

This is the status report for running Quarkus CI on commit 51d2494.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

Flaky tests - Develocity

⚙️ JVM Integration Tests - JDK 17

📦 integration-tests/vertx-http

✖ io.quarkus.it.vertx.RandomTestPortTestCase.testLegacyProperties - History

expected: <Optional[36777]> but was: <Optional.empty> - org.opentest4j.AssertionFailedError

org.opentest4j.AssertionFailedError: expected: <Optional[36777]> but was: <Optional.empty>
	at org.junit.jupiter.api.AssertionFailureBuilder.build(AssertionFailureBuilder.java:151)
	at org.junit.jupiter.api.AssertionFailureBuilder.buildAndThrow(AssertionFailureBuilder.java:132)
	at org.junit.jupiter.api.AssertEquals.failNotEqual(AssertEquals.java:197)
	at org.junit.jupiter.api.AssertEquals.assertEquals(AssertEquals.java:182)
	at org.junit.jupiter.api.AssertEquals.assertEquals(AssertEquals.java:177)
	at org.junit.jupiter.api.Assertions.assertEquals(Assertions.java:1145)
	at io.quarkus.it.vertx.RandomTestPortTestCase.testLegacyProperty(RandomTestPortTestCase.java:75)

⚙️ JVM Integration Tests - JDK 17 Windows

📦 integration-tests/grpc-hibernate

✖ com.example.grpc.hibernate.VertxBlockingRawTest.shouldAdd - History

Condition with Lambda expression in com.example.grpc.hibernate.BlockingRawTestBase was not fulfilled within 30 seconds. - org.awaitility.core.ConditionTimeoutException

org.awaitility.core.ConditionTimeoutException: Condition with Lambda expression in com.example.grpc.hibernate.BlockingRawTestBase was not fulfilled within 30 seconds.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:78)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:26)
	at org.awaitility.core.ConditionFactory.until(ConditionFactory.java:1006)
	at org.awaitility.core.ConditionFactory.until(ConditionFactory.java:975)
	at com.example.grpc.hibernate.BlockingRawTestBase.shouldAdd(BlockingRawTestBase.java:59)
	at java.base/java.lang.reflect.Method.invoke(Method.java:569)

📦 integration-tests/vertx-http

✖ io.quarkus.it.vertx.RandomTestPortTestCase.testLegacyProperties - History

expected: <Optional[59351]> but was: <Optional.empty> - org.opentest4j.AssertionFailedError

org.opentest4j.AssertionFailedError: expected: <Optional[59351]> but was: <Optional.empty>
	at org.junit.jupiter.api.AssertionFailureBuilder.build(AssertionFailureBuilder.java:151)
	at org.junit.jupiter.api.AssertionFailureBuilder.buildAndThrow(AssertionFailureBuilder.java:132)
	at org.junit.jupiter.api.AssertEquals.failNotEqual(AssertEquals.java:197)
	at org.junit.jupiter.api.AssertEquals.assertEquals(AssertEquals.java:182)
	at org.junit.jupiter.api.AssertEquals.assertEquals(AssertEquals.java:177)
	at org.junit.jupiter.api.Assertions.assertEquals(Assertions.java:1145)
	at io.quarkus.it.vertx.RandomTestPortTestCase.testLegacyProperty(RandomTestPortTestCase.java:75)

⚙️ JVM Integration Tests - JDK 21

📦 integration-tests/vertx-http

✖ io.quarkus.it.vertx.RandomTestPortTestCase.testLegacyProperties - History

expected: <Optional[46499]> but was: <Optional.empty> - org.opentest4j.AssertionFailedError

org.opentest4j.AssertionFailedError: expected: <Optional[46499]> but was: <Optional.empty>
	at org.junit.jupiter.api.AssertionFailureBuilder.build(AssertionFailureBuilder.java:151)
	at org.junit.jupiter.api.AssertionFailureBuilder.buildAndThrow(AssertionFailureBuilder.java:132)
	at org.junit.jupiter.api.AssertEquals.failNotEqual(AssertEquals.java:197)
	at org.junit.jupiter.api.AssertEquals.assertEquals(AssertEquals.java:182)
	at org.junit.jupiter.api.AssertEquals.assertEquals(AssertEquals.java:177)
	at org.junit.jupiter.api.Assertions.assertEquals(Assertions.java:1145)
	at io.quarkus.it.vertx.RandomTestPortTestCase.testLegacyProperty(RandomTestPortTestCase.java:75)

quarkus-bot bot added the area/smallrye label Nov 2, 2024

quarkus-bot bot added the area/core label Nov 3, 2024

quarkus-bot bot added the area/documentation label Nov 3, 2024