Skip to content

Lower JWKS static-key fallback logs from WARN to INFO#6264

Open
mvanhorn wants to merge 1 commit into
opensearch-project:mainfrom
mvanhorn:fix/6104-jwks-warn-to-info
Open

Lower JWKS static-key fallback logs from WARN to INFO#6264
mvanhorn wants to merge 1 commit into
opensearch-project:mainfrom
mvanhorn:fix/6104-jwks-warn-to-info

Conversation

@mvanhorn

Copy link
Copy Markdown

Description

  • Category: Bug fix
  • Why these changes are required?

When a JWT auth domain is configured with a static signing_key instead of a jwks_uri, HTTPJwtKeyByJWKSAuthenticator logged two WARN messages on every startup ("jwks_uri is not configured, falling back to static JWT authentication" and "jwks_uri is not configured, will use static JWT authentication fallback"). Static-key JWT is a fully supported, intentional configuration, so warning-level logging is noisy and misleading. As confirmed on the issue, these should be INFO-level messages.

  • What is the old behavior before changes and new behavior after changes?

Old behavior: the two static-key messages were logged at WARN in HTTPJwtKeyByJWKSAuthenticator (the constructor and initKeyProvider). New behavior: both are logged at INFO. No control flow or authentication behavior is changed.

Issues Resolved

Fixes #6104

Testing

Added testStaticFallbackIsLoggedAtInfoNotWarn in HTTPJwtKeyByJWKSAuthenticatorTest, which attaches a mock appender to the authenticator's logger, constructs the authenticator with a static signing_key and no jwks_uri, and asserts the "jwks_uri is not configured" message is emitted at INFO. The existing JWKS and static-fallback tests continue to cover authentication behavior. The targeted Gradle test could not be run locally because no Java runtime is available in this environment.

Check List

  • New functionality includes testing
  • New functionality has been documented
  • New Roles/Permissions have a corresponding security dashboards plugin PR
  • API changes companion pull request created
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

When a JWT auth domain is configured with a static signing_key instead of
a jwks_uri, HTTPJwtKeyByJWKSAuthenticator logged two WARN messages on
startup even though static-key JWT is a supported configuration. Lower
both messages to INFO and add a unit test asserting the level.

Fixes opensearch-project#6104

Signed-off-by: Matt Van Horn <mvanhorn@gmail.com>
@github-actions

Copy link
Copy Markdown
Contributor

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 65734e4.

PathLineSeverityDescription
src/main/java/org/opensearch/security/auth/http/jwt/keybyjwks/HTTPJwtKeyByJWKSAuthenticator.java75lowTwo log statements are downgraded from WARN to INFO for the security-relevant fallback condition where jwks_uri is not configured. JWKS-based verification is the stronger authentication path; falling back to a static signing key is a degraded security posture. Teams monitoring WARN-level logs for security anomalies would silently lose visibility into this condition. The change has a plausible legitimate motivation (reducing noise when static auth is intentionally configured), but the tradeoff reduces operational security observability.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 0 | Medium: 0 | Low: 1


Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.


⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

@github-actions

Copy link
Copy Markdown
Contributor

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🧪 PR contains tests
🔒 No security concerns identified
✅ No TODO sections
🔀 No multiple PR themes
⚡ No major issues detected

@github-actions

Copy link
Copy Markdown
Contributor

PR Code Suggestions ✨

Explore these optional code suggestions:

CategorySuggestion                                                                                                                                    Impact
General
Restore original logger level after test

The test mutates a shared Log4j logger by adding an appender and changing its level
without restoring the original level in the finally block. This can leak state into
other tests running in the same JVM. Capture and restore the original Level after
the test completes.

src/test/java/org/opensearch/security/auth/http/jwt/keybyoidc/HTTPJwtKeyByJWKSAuthenticatorTest.java [264-273]

 Logger logger = (Logger) LogManager.getLogger(HTTPJwtKeyByJWKSAuthenticator.class);
+Level originalLevel = logger.getLevel();
 logger.addAppender(mockAppender);
 logger.setLevel(Level.INFO);
 
 try {
     Settings settings = Settings.builder()
         .put("signing_key", "dGVzdC1zaWduaW5nLWtleS10aGF0LWlzLWxvbmctZW5vdWdoLWZvci1obWFjLXNoYTI1Ng==")
         .build();
 
     new HTTPJwtKeyByJWKSAuthenticator(settings, null);
Suggestion importance[1-10]: 6

__

Why: Valid point about test isolation - mutating shared logger state without restoring it can affect other tests. The suggestion correctly identifies the issue and provides a reasonable fix, though it only partially addresses it (level captured but restoration code in finally is not shown).

Low

@codecov

codecov Bot commented Jun 29, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.07%. Comparing base (757b857) to head (65734e4).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #6264      +/-   ##
==========================================
+ Coverage   75.02%   75.07%   +0.05%     
==========================================
  Files         451      451              
  Lines       29248    29248              
  Branches     4407     4407              
==========================================
+ Hits        21942    21958      +16     
+ Misses       5270     5251      -19     
- Partials     2036     2039       +3     
Files with missing lines Coverage Δ
...p/jwt/keybyjwks/HTTPJwtKeyByJWKSAuthenticator.java 97.56% <100.00%> (ø)

... and 8 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Rishav9852Kumar

Copy link
Copy Markdown
Collaborator

Thanks for this PR @mvanhorn The log level change makes sense — static signing_key is a supported config and shouldn't warn on every startup. Left a couple of minor comments.

// Initialize static JWT authenticator as fallback if jwks_uri is not configured
if (!useJwks) {
log.warn("jwks_uri is not configured, falling back to static JWT authentication");
log.info("jwks_uri is not configured, using static JWT authentication with the configured signing_key");

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both initKeyProvider and the constructor log the same message back-to-back for the same condition. Consider rewording them slightly so they're distinguishable in logs.

  • initKeyProvider: "jwks_uri is not configured, skipping JWKS key provider initialization"
  • Constructor: "jwks_uri is not configured, using static JWT authentication with the configured 'signing_key'"

import org.opensearch.security.user.AuthCredentials;
import org.opensearch.security.util.FakeRestRequest;

import org.apache.logging.log4j.Level;

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CI is failing due to import ordering.

Can you run ./gradlew :spotlessApply to remove spotlessApply violations ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] unnecessary warning about JWKS on JWT auth domain

2 participants