You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2022/04/05 14:49:00 UTC

[jira] [Commented] (CXF-8686) JWT role claim incorrectly parsed if not tokenized as string

    [ https://issues.apache.org/jira/browse/CXF-8686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17517493#comment-17517493 ] 

Colm O hEigeartaigh commented on CXF-8686:
------------------------------------------

LGTM. If you can create a PR soon we will get it into 3.5.2, otherwise it will be deferred to a later release.

> JWT role claim incorrectly parsed if not tokenized as string
> ------------------------------------------------------------
>
>                 Key: CXF-8686
>                 URL: https://issues.apache.org/jira/browse/CXF-8686
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 3.4.6, 3.5.1
>            Reporter: Oliver Wulff
>            Priority: Major
>             Fix For: 3.5.2, 4.0.0
>
>         Attachments: image-2022-04-05-14-08-09-726.png
>
>
> The JwtTokenSecurityContext class expects a tokenized string for the role claim. If the JWT contains an array of strings to represent the roles the role claim is incorrectly parsed.
> The following line shows that it always first tokenize the array:
> [https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtTokenSecurityContext.java#L48]
> Here is a snippet of the sample JWT:
>  
> {\{{}}
> {{  "sub": "myid",}}
> {{  "jti": "f42150ef-2743-4ca0-ae06-a23b307edaca",}}
> {{  "iss": "STS INT",}}
> {{  "roles": [}}
> {{    "READ",}}
> {{    "UPDATE"}}
> {{  ],}}
> {{  "iat": 1649079679,}}
> {{  "nbf": 1649079679,}}
> {{  "exp": 1649086879,}}
> {{  "aud": [}}
> {{    "urn:mycompany:application:foo"}}
> {{  ]}}
> {{}}}
>  
> I propose to improve this logic thus both roles in tokenized string as well as a propery array list are properly parsed.
>  
> Here a snippet of the debugger. The above example ends-up with two roles "[READ" and " UPDATE]".
>  
> !image-2022-04-05-14-08-09-726.png!



--
This message was sent by Atlassian Jira
(v8.20.1#820001)