Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wfcore 5691 bearer token authorization timeout blog #2160

Draft
wants to merge 3 commits into
base: develop
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions _data/authors.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -62,4 +62,8 @@ lvydra:
name: "Lukas Vydra"
emailhash: "963ac51a738ab1ff63a5bbdf6b206417"
bio: "https://github.com/lvydra"
rsearls:
name: "Rebecca Searls"
emailhash: "56c3427d6d9b5d71d2dae59d71cf7002"
bio: "https://github.com/rsearls"

84 changes: 84 additions & 0 deletions _posts/2024-06-21-OAuth2-JWT-Token-Timeout.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
---
layout: post
title: 'OAuth2 and JWT token timeout properties added to WildFly'
date: 2024-mm-dd
tags: OAuth2 JWT token timeout connection-timeout read-timeout
synopsis: Bearer token timeout properties, connection-timeout and read-timeout, have be added to WildFly's Elytron subsystem.
author: rsearls
---

:toc: macro
:toc-title:

toc::[]

Elytron in WildFly 32+ preview version supports two new
optional attributes, `connection-timeout` and `read-timeout`.
These attributes allow the user to control the timeout period
placed on the URL used in obtaining the public key from the OAuth2 or JWT
provider. Both are defined on the token-realm element in the Elytron subsystem.

WildFly uses a default value of 2000 milliseconds for both these
properties. The user need not set these token-realm attributes if
that value is sufficient.

Both parameters are datatype int. The value is in milliseonds.
Only zero or positive integers are allowed. Zero means infinite time.
If the connection time or read time expires during
public key retrieval a warning message is logged and null is returned as
the public key to Elyton's processing code.

=== Example Server Configuration

==== Prerequisites

To run the example you will need the following.

* JDK-17
* Wildfly 33 or newer
* Wildfly quickstart, https://github.com/wildfly/quickstart.git

==== Environment Setup

* cd into `jaxrs-jwt` in the quickstart project. Follow the directions
in the README file upto and including executing the CLI script file,
`configure-elytron.cli`.
* Create file, `config-bearer-timeout.cli` in the jaxrs-jwt directory.
Add the following commands to the file and save it.

```
# append timeout attributes to the jwt element.
/subsystem=elytron/token-realm=jwt-realm:write-attribute(name=jwt.connection-timeout, valu
e=2)
# /subsystem=elytron/token-realm=jwt-realm:write-attribute(name=jwt.read-timeout, value=1)

```

==== Execute command
```
$WILDFLY_HOME/bin/jboss-cli.sh --connect --file=config-bearer-timeout.cli
```

==== Run the example

* Follow the README directions to provision the Wildfly server

* Follow the directions to run the Integration Tests with a provisioned server.
The test will fail.

* Check Wildfly's server.log for the message, "Unable to connect to $THE_URL"
```
$WILDFLY_HOME/standalone/log/server.log
```

== Summary

WildFly uses a default value of 2000 milliseconds (i.e. 2 seconds)
when waiting on a connection to an OAuth2 and JWT provider, and
2000 milliseconds when reading the public key. The user can
fine tune the wait times via the two attributes, `connection-timeout`
and `read-timeout` on the Elytron's token-realm element.

== Resources
* https://docs.wildfly.org/32/wildscribe/subsystem/elytron/token-realm/index.html[token realm]
* https://docs.wildfly.org/32/WildFly_Elytron_Security.html#realms[Elytron security realms]