You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Oliver Wulff (Jira)" <ji...@apache.org> on 2022/04/05 07:02:00 UTC
[jira] [Created] (CXF-8686) JWT role claim incorrectly parsed if not tokenized as string
Oliver Wulff created CXF-8686:
---------------------------------
Summary: JWT role claim incorrectly parsed if not tokenized as string
Key: CXF-8686
URL: https://issues.apache.org/jira/browse/CXF-8686
Project: CXF
Issue Type: Bug
Components: JAX-RS Security
Affects Versions: 3.5.1, 3.4.6
Reporter: Oliver Wulff
Fix For: 3.5.2, 4.0.0
The JwtTokenSecurityContext class expects a tokenized string for the role claim. If the JWT contains an array of strings to represent the roles the role claim is incorrectly parsed.
The following line shows that it always first tokenize the array:
https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtTokenSecurityContext.java#L48
Here is a snippet of the sample JWT:
{quote}{ "sub": "myid", "jti": "f42150ef-2743-4ca0-ae06-a23b307edaca", "iss": "STS INT", "roles": [ "READ", "UPDATE" ], "iat": 1649079679, "nbf": 1649079679, "exp": 1649086879, "aud": [ "urn:application:myapi" ] }
{quote}
I propose to improve this logic thus both roles in tokenized string as well as a propery array list are properly parsed.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)