From 6dd3ddfe3e09d87dc3b0920943c2bc40003d9bd5 Mon Sep 17 00:00:00 2001 From: Jimmy Wu Date: Wed, 21 Feb 2024 01:38:16 -0500 Subject: [PATCH] runAsServer before signing/verifying jws and encrypting/decrypting jwe --- dev/com.ibm.ws.security.jwt/bnd.bnd | 8 +++++--- .../ibm/ws/security/jwt/internal/ConsumerUtil.java | 6 +++++- .../com/ibm/ws/security/jwt/utils/JweHelper.java | 14 ++++++++++++-- .../com/ibm/ws/security/jwt/utils/JwsSigner.java | 7 +++++-- dev/com.ibm.ws.security.oauth/bnd.bnd | 5 +++-- .../security/oauth20/plugins/jose4j/JwsSigner.java | 6 +++++- .../bnd.bnd | 5 +++-- .../openidconnect/jose4j/Jose4jValidator.java | 8 +++++++- .../ibm/ws/security/openidconnect/token/JWT.java | 10 ++++++++-- .../openidconnect/token/JsonTokenUtil.java | 10 ++++++++-- dev/io.openliberty.security.common.jwt/bnd.bnd | 5 +++-- .../common/jwt/jws/JwsSignatureVerifier.java | 12 +++++++++--- .../bnd.bnd | 5 +++-- .../token/auth/PrivateKeyJwtAuthMethod.java | 10 ++++++++-- 14 files changed, 84 insertions(+), 27 deletions(-) diff --git a/dev/com.ibm.ws.security.jwt/bnd.bnd b/dev/com.ibm.ws.security.jwt/bnd.bnd index 8a38dba0647..db07c921151 100644 --- a/dev/com.ibm.ws.security.jwt/bnd.bnd +++ b/dev/com.ibm.ws.security.jwt/bnd.bnd @@ -1,5 +1,5 @@ #******************************************************************************* -# Copyright (c) 2017, 2023 IBM Corporation and others. +# Copyright (c) 2017, 2024 IBM Corporation and others. # All rights reserved. This program and the accompanying materials # are made available under the terms of the Eclipse Public License 2.0 # which accompanies this distribution, and is available at @@ -75,7 +75,8 @@ Import-Package: \ com.ibm.ws.ssl;version="[1.0.0, 2.0)";resolution:=optional, \ com.ibm.ws.security.wim;version="[1.0.0, 2.0)";resolution:=optional, \ com.ibm.wsspi.security.wim.model;version="[1.0.0, 2.0)";resolution:=optional, \ - com.ibm.ws.kernel.productinfo + com.ibm.ws.kernel.productinfo, \ + com.ibm.ws.kernel.security.thread Private-Package: \ com.ibm.ws.security.jwt.internal.*, \ @@ -137,7 +138,8 @@ instrument.classesExcludes: com/ibm/ws/security/jwt/internal/resources/*.class io.openliberty.com.google.gson;version=latest, \ com.ibm.ws.org.osgi.annotation.versioning;version=latest, \ com.ibm.json4j;version=latest, \ - com.ibm.ws.kernel.boot.core;version=latest + com.ibm.ws.kernel.boot.core;version=latest, \ + com.ibm.ws.kernel.security.thread;version=latest -testpath: \ ../build.sharedResources/lib/junit/old/junit.jar;version=file, \ diff --git a/dev/com.ibm.ws.security.jwt/src/com/ibm/ws/security/jwt/internal/ConsumerUtil.java b/dev/com.ibm.ws.security.jwt/src/com/ibm/ws/security/jwt/internal/ConsumerUtil.java index f1563a9fd0b..bd520e59b07 100644 --- a/dev/com.ibm.ws.security.jwt/src/com/ibm/ws/security/jwt/internal/ConsumerUtil.java +++ b/dev/com.ibm.ws.security.jwt/src/com/ibm/ws/security/jwt/internal/ConsumerUtil.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2016, 2023 IBM Corporation and others. + * Copyright (c) 2016, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at @@ -45,6 +45,7 @@ import com.ibm.websphere.security.jwt.JwtToken; import com.ibm.websphere.security.jwt.KeyException; import com.ibm.websphere.security.jwt.KeyStoreServiceException; +import com.ibm.ws.kernel.security.thread.ThreadIdentityManager; import com.ibm.ws.security.common.crypto.KeyAlgorithmChecker; import com.ibm.ws.security.common.jwk.impl.JwKRetriever; import com.ibm.ws.security.common.time.TimeUtils; @@ -855,6 +856,7 @@ void validateAlgorithm(String requiredAlg, String tokenAlg) throws InvalidTokenE void processJwtContextWithConsumer(JwtConsumer jwtConsumer, JwtContext jwtContext) throws InvalidTokenException, InvalidJwtException { + Object token = ThreadIdentityManager.runAsServer(); try { jwtConsumer.processContext(jwtContext); } catch (InvalidJwtSignatureException e) { @@ -869,6 +871,8 @@ void processJwtContextWithConsumer(JwtConsumer jwtConsumer, JwtContext jwtContex // message throw e; } + } finally { + ThreadIdentityManager.reset(token); } } diff --git a/dev/com.ibm.ws.security.jwt/src/com/ibm/ws/security/jwt/utils/JweHelper.java b/dev/com.ibm.ws.security.jwt/src/com/ibm/ws/security/jwt/utils/JweHelper.java index 88825040796..ff2b34f9211 100644 --- a/dev/com.ibm.ws.security.jwt/src/com/ibm/ws/security/jwt/utils/JweHelper.java +++ b/dev/com.ibm.ws.security.jwt/src/com/ibm/ws/security/jwt/utils/JweHelper.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2020, 2022 IBM Corporation and others. + * Copyright (c) 2020, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at @@ -32,6 +32,7 @@ import com.ibm.websphere.security.jwt.InvalidTokenException; import com.ibm.websphere.security.jwt.KeyException; import com.ibm.ws.ffdc.annotation.FFDCIgnore; +import com.ibm.ws.kernel.security.thread.ThreadIdentityManager; import com.ibm.ws.security.common.jwk.impl.JwKRetriever; import com.ibm.ws.security.common.jwk.impl.JwkKidBuilder; import com.ibm.ws.security.jwt.config.JwtConfig; @@ -169,7 +170,13 @@ static String getJwePayload(String jweString, @Sensitive Key decryptionKey) thro JsonWebEncryption jwe = new JsonWebEncryption(); jwe.setCompactSerialization(jweString); jwe.setKey(decryptionKey); - String payload = jwe.getPayload(); + String payload = null; + Object token = ThreadIdentityManager.runAsServer(); + try { + payload = jwe.getPayload(); + } finally { + ThreadIdentityManager.reset(token); + } if (isJws(payload)) { verifyContentType(jwe); } @@ -317,10 +324,13 @@ static String getContentEncryptionAlgorithmFromConfig(JwtConfig jwtConfig) { static String getJwtString(JsonWebEncryption jwe) throws JwtTokenException { String jwt = null; + Object token = ThreadIdentityManager.runAsServer(); try { jwt = jwe.getCompactSerialization(); } catch (Exception e) { throw new JwtTokenException(e.getLocalizedMessage(), e); + } finally { + ThreadIdentityManager.reset(token); } return jwt; } diff --git a/dev/com.ibm.ws.security.jwt/src/com/ibm/ws/security/jwt/utils/JwsSigner.java b/dev/com.ibm.ws.security.jwt/src/com/ibm/ws/security/jwt/utils/JwsSigner.java index b12f200851d..71ac8fae4e6 100644 --- a/dev/com.ibm.ws.security.jwt/src/com/ibm/ws/security/jwt/utils/JwsSigner.java +++ b/dev/com.ibm.ws.security.jwt/src/com/ibm/ws/security/jwt/utils/JwsSigner.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2016 IBM Corporation and others. + * Copyright (c) 2016, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at @@ -20,6 +20,7 @@ import org.jose4j.jwt.JwtClaims; import com.ibm.ws.ffdc.annotation.FFDCIgnore; +import com.ibm.ws.kernel.security.thread.ThreadIdentityManager; import com.ibm.ws.security.jwt.internal.JwtTokenException; /** @@ -85,7 +86,7 @@ public static String getSignedJwt(JwtClaims claims, JwtData jwtData) throws JwtT // payload // of a JsonWebEncryption object and set the cty (Content Type) header // to "jwt". - + Object token = ThreadIdentityManager.runAsServer(); try { jwt = jws.getCompactSerialization(); } catch (Exception e) { @@ -95,6 +96,8 @@ public static String getSignedJwt(JwtClaims claims, JwtData jwtData) throws JwtT // * Tr.formatMessage(tc, // * "JWT_CANNOT_GENERATE_JWT", objs), // */"Can not generate JWT", e); + } finally { + ThreadIdentityManager.reset(token); } // if (tc.isDebugEnabled()) { // Tr.debug(tc, "JWT=", jwt); diff --git a/dev/com.ibm.ws.security.oauth/bnd.bnd b/dev/com.ibm.ws.security.oauth/bnd.bnd index 28556f8bdd1..8e20eee5260 100644 --- a/dev/com.ibm.ws.security.oauth/bnd.bnd +++ b/dev/com.ibm.ws.security.oauth/bnd.bnd @@ -1,5 +1,5 @@ #******************************************************************************* -# Copyright (c) 2019, 2023 IBM Corporation and others. +# Copyright (c) 2019, 2024 IBM Corporation and others. # All rights reserved. This program and the accompanying materials # are made available under the terms of the Eclipse Public License 2.0 # which accompanies this distribution, and is available at @@ -145,7 +145,8 @@ Include-Resource: \ com.ibm.ws.org.eclipse.equinox.metatype;version=latest,\ com.ibm.ws.security.jwt;version=latest,\ com.ibm.ws.kernel.boot.core;version=latest,\ - com.ibm.ws.security.sso.common;version=latest + com.ibm.ws.security.sso.common;version=latest,\ + com.ibm.ws.kernel.security.thread;version=latest -testpath: \ ../build.sharedResources/lib/junit/old/junit.jar;version=file, \ diff --git a/dev/com.ibm.ws.security.oauth/src/com/ibm/ws/security/oauth20/plugins/jose4j/JwsSigner.java b/dev/com.ibm.ws.security.oauth/src/com/ibm/ws/security/oauth20/plugins/jose4j/JwsSigner.java index 75da79eda3d..f541ec92d82 100644 --- a/dev/com.ibm.ws.security.oauth/src/com/ibm/ws/security/oauth20/plugins/jose4j/JwsSigner.java +++ b/dev/com.ibm.ws.security.oauth/src/com/ibm/ws/security/oauth20/plugins/jose4j/JwsSigner.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2016 IBM Corporation and others. + * Copyright (c) 2016, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at @@ -22,6 +22,7 @@ import com.ibm.websphere.ras.Tr; import com.ibm.websphere.ras.TraceComponent; import com.ibm.ws.ffdc.annotation.FFDCIgnore; +import com.ibm.ws.kernel.security.thread.ThreadIdentityManager; import com.ibm.ws.security.oauth20.TraceConstants; import com.ibm.ws.webcontainer.security.openidconnect.OidcServerConfig; @@ -82,12 +83,15 @@ public static String getSignedJwt(JwtClaims claims, OidcServerConfig oidcServerC // base64url-encoded parts in the form Header.Payload.Signature // If you wanted to encrypt it, you can simply set this jwt as the payload // of a JsonWebEncryption object and set the cty (Content Type) header to "jwt". + Object token = ThreadIdentityManager.runAsServer(); try { jwt = jws.getCompactSerialization(); } catch (Exception e) { Object[] objs = new Object[] { oidcServerConfig.getProviderId(), e.getLocalizedMessage() }; Tr.error(tc, "JWT_CANNOT_GENERATE_JWT", objs); throw new JWTTokenException(Tr.formatMessage(tc, "JWT_CANNOT_GENERATE_JWT", objs), e); + } finally { + ThreadIdentityManager.reset(token); } if (tc.isDebugEnabled()) { Tr.debug(tc, "JWT=", jwt); diff --git a/dev/com.ibm.ws.security.openidconnect.clients.common/bnd.bnd b/dev/com.ibm.ws.security.openidconnect.clients.common/bnd.bnd index 3f281aea354..93b04e24ee7 100644 --- a/dev/com.ibm.ws.security.openidconnect.clients.common/bnd.bnd +++ b/dev/com.ibm.ws.security.openidconnect.clients.common/bnd.bnd @@ -1,5 +1,5 @@ #******************************************************************************* -# Copyright (c) 2018, 2023 IBM Corporation and others. +# Copyright (c) 2018, 2024 IBM Corporation and others. # All rights reserved. This program and the accompanying materials # are made available under the terms of the Eclipse Public License 2.0 # which accompanies this distribution, and is available at @@ -84,7 +84,8 @@ Private-Package: \ com.ibm.ws.config;version=latest,\ io.openliberty.security.oidcclientcore.internal;version=latest,\ io.openliberty.security.common.jwt;version=latest,\ - com.ibm.ws.security.oauth.2.0;version=latest + com.ibm.ws.security.oauth.2.0;version=latest,\ + com.ibm.ws.kernel.security.thread;version=latest -testpath: \ ../build.sharedResources/lib/junit/old/junit.jar;version=file,\ diff --git a/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/jose4j/Jose4jValidator.java b/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/jose4j/Jose4jValidator.java index 7d2aa2a23d6..751d79306d3 100644 --- a/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/jose4j/Jose4jValidator.java +++ b/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/jose4j/Jose4jValidator.java @@ -34,6 +34,7 @@ import com.ibm.websphere.ras.Tr; import com.ibm.websphere.ras.TraceComponent; import com.ibm.ws.ffdc.annotation.FFDCIgnore; +import com.ibm.ws.kernel.security.thread.ThreadIdentityManager; import com.ibm.ws.security.openidconnect.backchannellogout.BackchannelLogoutConstants; import com.ibm.ws.security.openidconnect.clients.common.Constants; import com.ibm.ws.security.openidconnect.clients.common.OidcClientRequest; @@ -189,7 +190,7 @@ public JwtClaims parseJwtWithValidation(String jwtString, } JwtConsumer jwtConsumer = builder.build(); - + Object token = ThreadIdentityManager.runAsServer(); try { JwtContext validatedJwtContext = jwtConsumer.process(jwtString); @@ -226,6 +227,8 @@ public JwtClaims parseJwtWithValidation(String jwtString, // otherwise throw original Exception throw e; } + } finally { + ThreadIdentityManager.reset(token); } return jwtClaims; @@ -327,6 +330,7 @@ public JwtClaims validateJwsSignature(JsonWebSignature signature, String jwtStri } JwtConsumer jwtConsumer = builder.build(); + Object token = ThreadIdentityManager.runAsServer(); try { JwtContext validatedJwtContext = jwtConsumer.process(jwtString); return validatedJwtContext.getJwtClaims(); @@ -344,6 +348,8 @@ public JwtClaims validateJwsSignature(JsonWebSignature signature, String jwtStri } else { throw new JWTTokenValidationFailedException(e.getMessage(), e); } + } finally { + ThreadIdentityManager.reset(token); } } diff --git a/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/token/JWT.java b/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/token/JWT.java index 51c4a6c8de5..7a0dc73df14 100644 --- a/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/token/JWT.java +++ b/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/token/JWT.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2013, 2023 IBM Corporation and others. + * Copyright (c) 2013, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at @@ -34,6 +34,7 @@ import com.ibm.websphere.ras.annotation.Sensitive; import com.ibm.ws.ffdc.FFDCFilter; import com.ibm.ws.ffdc.annotation.FFDCIgnore; +import com.ibm.ws.kernel.security.thread.ThreadIdentityManager; import com.ibm.ws.security.openidconnect.clients.common.Constants; public class JWT { @@ -360,8 +361,13 @@ private String serializeAndSign(WSJsonToken token) throws InvalidKeyException, U } // todo: did we miss any? jws.setKey(getKey(alg)); // private key - return jws.getCompactSerialization(); + Object threadIdentityToken = ThreadIdentityManager.runAsServer(); + try { + return jws.getCompactSerialization(); + } finally { + ThreadIdentityManager.reset(threadIdentityToken); + } } public String getSignedJWTString() throws SignatureException, InvalidKeyException { diff --git a/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/token/JsonTokenUtil.java b/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/token/JsonTokenUtil.java index f5a727fad7e..c49f4c377a2 100644 --- a/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/token/JsonTokenUtil.java +++ b/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/token/JsonTokenUtil.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2013, 2022 IBM Corporation and others. + * Copyright (c) 2013, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at @@ -43,6 +43,7 @@ import com.google.gson.stream.JsonToken; import com.ibm.websphere.ras.annotation.Sensitive; import com.ibm.ws.common.encoder.Base64Coder; +import com.ibm.ws.kernel.security.thread.ThreadIdentityManager; /** * Some utility functions for {@link JsonToken}s. @@ -383,7 +384,12 @@ public static void validateTokenString(String tokenString, String alg, @Sensitiv } JwtConsumer secondPassJwtConsumer = secondBuilder.build(); - secondPassJwtConsumer.processContext(jwtContext); + Object token = ThreadIdentityManager.runAsServer(); + try { + secondPassJwtConsumer.processContext(jwtContext); + } finally { + ThreadIdentityManager.reset(token); + } } static Object getJsonPrimitive(JsonPrimitive primitive) { diff --git a/dev/io.openliberty.security.common.jwt/bnd.bnd b/dev/io.openliberty.security.common.jwt/bnd.bnd index 1c712cb7337..5486978fe66 100644 --- a/dev/io.openliberty.security.common.jwt/bnd.bnd +++ b/dev/io.openliberty.security.common.jwt/bnd.bnd @@ -1,5 +1,5 @@ #******************************************************************************* -# Copyright (c) 2022, 2023 IBM Corporation and others. +# Copyright (c) 2022, 2024 IBM Corporation and others. # All rights reserved. This program and the accompanying materials # are made available under the terms of the Eclipse Public License 2.0 # which accompanies this distribution, and is available at @@ -42,7 +42,8 @@ Private-Package: \ com.ibm.ws.security.common;version=latest,\ com.ibm.ws.security.common.jsonwebkey;version=latest,\ com.ibm.ws.org.apache.httpcomponents;version=latest,\ - com.ibm.ws.ssl;version=latest + com.ibm.ws.ssl;version=latest, \ + com.ibm.ws.kernel.security.thread;version=latest -testpath: \ ../build.sharedResources/lib/junit/old/junit.jar;version=file,\ diff --git a/dev/io.openliberty.security.common.jwt/src/io/openliberty/security/common/jwt/jws/JwsSignatureVerifier.java b/dev/io.openliberty.security.common.jwt/src/io/openliberty/security/common/jwt/jws/JwsSignatureVerifier.java index 651a3532b9b..84c85da87c7 100644 --- a/dev/io.openliberty.security.common.jwt/src/io/openliberty/security/common/jwt/jws/JwsSignatureVerifier.java +++ b/dev/io.openliberty.security.common.jwt/src/io/openliberty/security/common/jwt/jws/JwsSignatureVerifier.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2022, 2023 IBM Corporation and others. + * Copyright (c) 2022, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at @@ -24,6 +24,7 @@ import com.ibm.websphere.ras.Tr; import com.ibm.websphere.ras.TraceComponent; +import com.ibm.ws.kernel.security.thread.ThreadIdentityManager; import io.openliberty.security.common.jwt.JwtParsingUtils; import io.openliberty.security.common.jwt.exceptions.JwtContextMissingJoseObjects; @@ -81,8 +82,13 @@ public JwtClaims validateJwsSignature(JwtContext jwtContext) throws JwtContextMi JwtConsumerBuilder builder = createJwtConsumerBuilderWithConstraints(algHeader); JwtConsumer jwtConsumer = builder.build(); - JwtContext validatedJwtContext = jwtConsumer.process(jwtContext.getJwt()); - return validatedJwtContext.getJwtClaims(); + Object token = ThreadIdentityManager.runAsServer(); + try { + JwtContext validatedJwtContext = jwtConsumer.process(jwtContext.getJwt()); + return validatedJwtContext.getJwtClaims(); + } finally { + ThreadIdentityManager.reset(token); + } } public JwtConsumerBuilder createJwtConsumerBuilderWithConstraints(String algHeader) throws SigningKeyNotSpecifiedException { diff --git a/dev/io.openliberty.security.oidcclientcore.internal/bnd.bnd b/dev/io.openliberty.security.oidcclientcore.internal/bnd.bnd index bf4b8f76ab1..4fe7f1978e6 100644 --- a/dev/io.openliberty.security.oidcclientcore.internal/bnd.bnd +++ b/dev/io.openliberty.security.oidcclientcore.internal/bnd.bnd @@ -1,5 +1,5 @@ #******************************************************************************* -# Copyright (c) 2022, 2023 IBM Corporation and others. +# Copyright (c) 2022, 2024 IBM Corporation and others. # All rights reserved. This program and the accompanying materials # are made available under the terms of the Eclipse Public License 2.0 # which accompanies this distribution, and is available at @@ -61,7 +61,8 @@ Export-Package: \ com.ibm.ws.org.jose4j;version=latest,\ com.ibm.ws.security.common.jsonwebkey;version=latest,\ io.openliberty.security.common.jwt;version=latest,\ - com.ibm.ws.kernel.boot.core;version=latest + com.ibm.ws.kernel.boot.core;version=latest, \ + com.ibm.ws.kernel.security.thread;version=latest -testpath: \ ../build.sharedResources/lib/junit/old/junit.jar;version=file,\ diff --git a/dev/io.openliberty.security.oidcclientcore.internal/src/io/openliberty/security/oidcclientcore/token/auth/PrivateKeyJwtAuthMethod.java b/dev/io.openliberty.security.oidcclientcore.internal/src/io/openliberty/security/oidcclientcore/token/auth/PrivateKeyJwtAuthMethod.java index d0ebccdc9b8..780565373f0 100644 --- a/dev/io.openliberty.security.oidcclientcore.internal/src/io/openliberty/security/oidcclientcore/token/auth/PrivateKeyJwtAuthMethod.java +++ b/dev/io.openliberty.security.oidcclientcore.internal/src/io/openliberty/security/oidcclientcore/token/auth/PrivateKeyJwtAuthMethod.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2023 IBM Corporation and others. + * Copyright (c) 2023, 2024 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at @@ -25,6 +25,7 @@ import com.ibm.websphere.ras.TraceComponent; import com.ibm.websphere.ras.annotation.Sensitive; import com.ibm.ws.ffdc.annotation.FFDCIgnore; +import com.ibm.ws.kernel.security.thread.ThreadIdentityManager; import com.ibm.ws.security.common.ssl.SecuritySSLUtils; import com.ibm.ws.ssl.KeyStoreService; @@ -140,7 +141,12 @@ private String getSignedJwt(JwtClaims claims) throws Exception { jws.setKey(clientAssertionSigningKey); jws.setDoKeyValidation(false); - return jws.getCompactSerialization(); + Object token = ThreadIdentityManager.runAsServer(); + try { + return jws.getCompactSerialization(); + } finally { + ThreadIdentityManager.reset(token); + } } @Sensitive