opendut icon indicating copy to clipboard operation
opendut copied to clipboard
verified publisher icon eclipse-opendut

LEA should use the issuer which was provided by the config

Open mtwardawski opened this issue 1 year ago • 0 comments

LEA is using a hard-coded String for its issuer to decode tokens. This is not correct.

// opendut-lea/src/components/auth.rs

pub(crate) fn decode_token(token: &str) -> TokenData<Claims> {
    let mut validation = Validation::new(Algorithm::RS256);
    validation.set_issuer(&["https://keycloak/realms/opendut".to_string()]);  // TODO: get from config
    validation.set_audience(&["account".to_string()]);
    validation.insecure_disable_signature_validation();

    let decoding_key = DecodingKey::from_secret(&[]);

    jsonwebtoken::decode::<Claims>(token, &decoding_key, &validation).expect("failed to decode")
}

Instead of a hard-coded String the AppConfig offers the issuer as parameter, which can be used by LEA.

mtwardawski avatar Mar 26 '24 14:03 mtwardawski