Old JWT Tokens being presented to the API

[vanch3d]

Over a number of weeks I have seen behaviour (seemingly after a CRUD event) where the browser suddenly logs out. There seems to be no obvious reason for this, as the JWT is only a few minutes old.

Today I captured the event in logs where a previously issued JWE was presented to the API and rejected (causing the logout event).

Please see the log attached where a JWT is issues at the start of the session, then on a subsequent operation a previous token is presented.

2023-08-18 16:54:37,739 [pool-29-thread-1] JwtAuthenticationProvider ERROR- jwt validation failed, reason JWT rejected due to invalid signature. Additional details: [[9] Invalid JWS Signature: JsonWebSignature{"kid":"00001","alg":"RS256"}->eyJraWQiOiIwMDAwMSIsImFsZyI6IlJTMjU2In0.eyJqdGkiOiJZSkgxaGJ4aFJvZ1VDOHpMZjJfeWdnIiwiaWF0IjoxNjkyMzczODk2LCJhdWQiOiJIaXZlTVEtRWRnZS1BcGkiLCJpc3MiOiJIaXZlTVEtRWRnZSIsImV4cCI6MTY5MjM3NTY5NiwibmJmIjoxNjkyMzczNzc2LCJzdWIiOiJhZG1pbiIsInJvbGVzIjpbImFkbWluIl19.CPwswyJtkeHvOYWTK9Y6DTcEAA-2QeMKfWB-c80bAZbKmLacDjlcekHJM7L66HI1qG4MH3urWljQa4G0zbNztGoMu9NVp6EIAc_UW4YNSx-ovaFTAZLPyfFYvWtSlDjN84A5CZ2FVeKBTiBaO7QsvQ47_ak5dl4CtLZ_yD2HG01GzvkN9Lhk6046P8cT_SO_Bmsij4F7R1RsZAxa1mBTHAS8eKvexwAMzwWsXsvxha5imHsd14aIX8Poe321R_gZkQnooTRduisYsVxyMVaJZu3GSAfYF2xzxZ9UkwzUM4TTn2JiexVPIDm02m4xqgGu3rxe_4Sosz82Hy--MzY_lA]


2023-08-18 16:54:41,707 [pool-29-thread-2] JwtAuthenticationProvider INFO- Generated JWE 'eyJraWQiOiIwMDAwMSIsImFsZyI6IlJTMjU2In0.eyJqdGkiOiIwZmdDX3gzcHJrdHVwbWRLTHhMVUpnIiwiaWF0IjoxNjkyMzc0MDgxLCJhdWQiOiJIaXZlTVEtRWRnZS1BcGkiLCJpc3MiOiJIaXZlTVEtRWRnZSIsImV4cCI6MTY5MjM3NTg4MSwibmJmIjoxNjkyMzczOTYxLCJzdWIiOiJhZG1pbiIsInJvbGVzIjpbImFkbWluIl19.AtdhBfZiLJxiFmZMtFjmQmUhwMaG31ZklIIOdNrrh94C3w4Pr7v-Rn-k0D7VdlkF-LyamZUUAGIr4JG8Xse9NovKX8vBwvSodTOKv-9JBF5PB4Q3Tj_1GHGSTKXwzz6X2W339y18r0kwQp_hBt_Tl9mSHA4reIoAUJuB4SXfYZvHCoIcbnMqVgdZKt2i_xeCWsjvuB8vlsJ7Dm8EIdDrgJLHIVQhIb4Sv4cx0Lk_umiPAa3Kj7Ufyfg2n7G8zbF_VNnoPQdqmdJd1hpn3AYbnx5HwaplFtv5qafCHC572214UwOKqPx8mSrkvSeBtg08qPmolryavsgGjh5E48G2_w' for principal ApiPrincipal{name='admin', roles=[admin]}

2023-08-18 16:54:50,796 [pool-29-thread-1] JwtAuthenticationProvider ERROR- jwt validation failed, reason JWT rejected due to invalid signature. Additional details: [[9] Invalid JWS Signature: JsonWebSignature{"kid":"00001","alg":"RS256"}->eyJraWQiOiIwMDAwMSIsImFsZyI6IlJTMjU2In0.eyJqdGkiOiJZSkgxaGJ4aFJvZ1VDOHpMZjJfeWdnIiwiaWF0IjoxNjkyMzczODk2LCJhdWQiOiJIaXZlTVEtRWRnZS1BcGkiLCJpc3MiOiJIaXZlTVEtRWRnZSIsImV4cCI6MTY5MjM3NTY5NiwibmJmIjoxNjkyMzczNzc2LCJzdWIiOiJhZG1pbiIsInJvbGVzIjpbImFkbWluIl19.CPwswyJtkeHvOYWTK9Y6DTcEAA-2QeMKfWB-c80bAZbKmLacDjlcekHJM7L66HI1qG4MH3urWljQa4G0zbNztGoMu9NVp6EIAc_UW4YNSx-ovaFTAZLPyfFYvWtSlDjN84A5CZ2FVeKBTiBaO7QsvQ47_ak5dl4CtLZ_yD2HG01GzvkN9Lhk6046P8cT_SO_Bmsij4F7R1RsZAxa1mBTHAS8eKvexwAMzwWsXsvxha5imHsd14aIX8Poe321R_gZkQnooTRduisYsVxyMVaJZu3GSAfYF2xzxZ9UkwzUM4TTn2JiexVPIDm02m4xqgGu3rxe_4Sosz82Hy--MzY_lA]

[vanch3d]

I have managed to replicate a similar (same?) scenario with the frontend.

I'm tacking the token in the HTTP middleware, both when the request is sent ([dev] Token FVazWA) and a 401 is returned, triggering a logout (dev] Token FVazWA (logout)). Only printing the last 6 chars of the token :-)

What's happening is this:

• Operations as usual, request being sent successfully (white) with the current token (FVazWA)
• At some point the backend is shut down.
• The following requests all fail (in red, (failed)net::ERR_CONNECTION_REFUSED))
• The frontend is still operational, waiting for the connection to re-establish
• The backend is restarted
• The next request is this time successful, but still using the current token (no reason to clean it)
• The backend doesn't accept the token, and returns a 401
• The frontend logs the user out ([dev] Token FVazWA (logout)) and the token is cleaned up ([dev] Token undefined )
• The frontend is now on the login page, waiting for re-authentication

The backend logs the following item:

2023-09-15 12:28:12,752 ERROR - jwt validation failed, reason JWT rejected due to invalid signature. Additional details: [[9] Invalid JWS Signature: JsonWebSignature{"kid":"00001","alg":"RS256"}->eyJraWQiOiIwMDAwMSIsImFsZyI6IlJTMjU2In0.eyJqdGkiOiI4X0hJd1ZneGx0ZExtQWQtTDZnbkxnIiwiaWF0IjoxNjk0Nzc3MjcwLCJhdWQiOiJIaXZlTVEtRWRnZS1BcGkiLCJpc3MiOiJIaXZlTVEtRWRnZSIsImV4cCI6MTY5NDc3OTA3MCwibmJmIjoxNjk0Nzc3MTUwLCJzdWIiOiJhZG1pbiIsInJvbGVzIjpbImFkbWluIl19.ju6gCAsIIBqbLJ_y-0seTMABoa98ANe9n2zhTvC6jSEAPa1Wr-8ogjCFRP22CJAQLImrCXGlF0kM7kINK3bnBMbKobxnDUum7Cn4Oq_E4TO4LTCrOLBGQaM56YNAJcPiAoWyWwWRcCLyLZUwIWOC6AVbuAr4-XJ5q_9icdYkxgjJzO9vG2LqkkR33sU6JrjHGAwlGt62ImwNo6k3FWe9zVUI2bvVDwZA_YYLE5AHj4NHrE7p7FF-4kPd5t27Z6239xu5oyRb8DDXF3IqF_Bqf4s6BNOb9ARRvbP6hPY17leRD8o9V6JtoASwxAuB5QbtxznVT_6hc3_CZeJqFVazWA]

clearly not recognising the current token as valid

The above scenario seems totally correct to me: there is no reason to indicate that the current token in store in the front is in any way invalid.

What happens to the backend JWT Provider when the system is shut down? I'm obviously expecting a loss of persistence (in memory storage?) so not surprised if I'm forced out at restart.

But what happens during the scenarios we have seen, where there was clearly no backend shutdown? Is there any case where the JWT Provider might lose its persistent state?

[sfrehse]

Thanks for the analysis. The backend shouldn't required to store the token.

[vanch3d]

The backend error message states that jwt validation failed, reason JWT rejected due to invalid signature

The payload is okay since it hasn't changed and the token is still before the expiry time (I've decoded it and check the iat and exp properties)

So maybe the backend JWT provider doesn't; recognise the signature since the private or public key has changed due to the restart? If that's the case, could it also happen during a "normal" session?

[vanch3d]

Incidentally, the frontend, thanks to React Query caching, is behaving pretty good when network is down but there are way too many operations that should not be available and way not enough feedback to the user notifying about the downtime

[simon622]

JWE Tokens are only valid in the runtime that generated them, and they will NOT survive a restart since we have no persistence. The observed behaviour of the API is functionally correct. In this instance, the correct API or UI behaviour would be to observe the 401 and regenerate a token (based on a fresh login).

[simon622]

Question - "... So maybe the backend JWT provider doesn't; recognise the signature since the private or public key has changed due to the restart? If that's the case, could it also happen during a "normal" session?"

It wouldn't be "normal" for this to occur during a session, however, we need to allow for the fact that the presented JWT could be considered invalid at any point by the API server for any number of reasons.

[simon622]

Descoping for .6 release since the issue is still not clear. Can be rescoped for .7 with addition of the re-issuance filter.