[cxf] branch master updated: cxf-rt-rs-security-oauth2: fix 'scope' jwt claim format (#871)

[bu...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

buhhunyx pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/master by this push:
     new 03110cf  cxf-rt-rs-security-oauth2: fix 'scope' jwt claim format (#871)
03110cf is described below

commit 03110cf694be67611ea28e6d6cdefa0dd462e302
Author: Alexey Markevich <bu...@gmail.com>
AuthorDate: Thu Nov 4 07:05:57 2021 +0000

    cxf-rt-rs-security-oauth2: fix 'scope' jwt claim format (#871)
    
    https://datatracker.ietf.org/doc/html/rfc8693#section-4.2
---
 .../cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java    | 4 ++--
 .../systest/jaxrs/security/oauth2/filters/OAuth2JwtFiltersTest.java   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index 4eb4d17..01365eb 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -139,9 +139,9 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
         if (at.getIssuer() != null) {
             claims.setIssuer(at.getIssuer());
         }
-        if (!at.getScopes().isEmpty()) {
+        if (!at.getScopes().isEmpty()) { // rfc8693, section 4.2
             claims.setClaim(OAuthConstants.SCOPE,
-                            OAuthUtils.convertPermissionsToScopeList(at.getScopes()));
+                OAuthUtils.convertListOfScopesToString(OAuthUtils.convertPermissionsToScopeList(at.getScopes())));
         }
         // OAuth2 resource indicators (resource server audience)
         if (!at.getAudiences().isEmpty()) {
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/filters/OAuth2JwtFiltersTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/filters/OAuth2JwtFiltersTest.java
index 2e2d450..c3324c1 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/filters/OAuth2JwtFiltersTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/filters/OAuth2JwtFiltersTest.java
@@ -136,7 +136,7 @@ public class OAuth2JwtFiltersTest extends AbstractBusClientServerTestBase {
         JwtClaims claims = jwtConsumer.getJwtClaims();
         assertEquals("consumer-id", claims.getStringProperty(OAuthConstants.CLIENT_ID));
         assertEquals("alice", claims.getStringProperty("username"));
-        assertTrue(claims.getListStringProperty(OAuthConstants.SCOPE).contains(scope));
+        assertTrue(claims.getStringProperty(OAuthConstants.SCOPE).contains(scope));
         // Now invoke on the service with the access token
         WebClient client = WebClient.create(rsAddress, OAuth2TestUtils.setupProviders())
             .authorization(new ClientAccessToken(BEARER_AUTHORIZATION_SCHEME, accessToken.getTokenKey()));