You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2022/04/05 14:49:00 UTC
[jira] [Commented] (CXF-8686) JWT role claim incorrectly parsed if not tokenized as string
[ https://issues.apache.org/jira/browse/CXF-8686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17517493#comment-17517493 ]
Colm O hEigeartaigh commented on CXF-8686:
------------------------------------------
LGTM. If you can create a PR soon we will get it into 3.5.2, otherwise it will be deferred to a later release.
> JWT role claim incorrectly parsed if not tokenized as string
> ------------------------------------------------------------
>
> Key: CXF-8686
> URL: https://issues.apache.org/jira/browse/CXF-8686
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 3.4.6, 3.5.1
> Reporter: Oliver Wulff
> Priority: Major
> Fix For: 3.5.2, 4.0.0
>
> Attachments: image-2022-04-05-14-08-09-726.png
>
>
> The JwtTokenSecurityContext class expects a tokenized string for the role claim. If the JWT contains an array of strings to represent the roles the role claim is incorrectly parsed.
> The following line shows that it always first tokenize the array:
> [https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtTokenSecurityContext.java#L48]
> Here is a snippet of the sample JWT:
>
> {\{{}}
> {{ "sub": "myid",}}
> {{ "jti": "f42150ef-2743-4ca0-ae06-a23b307edaca",}}
> {{ "iss": "STS INT",}}
> {{ "roles": [}}
> {{ "READ",}}
> {{ "UPDATE"}}
> {{ ],}}
> {{ "iat": 1649079679,}}
> {{ "nbf": 1649079679,}}
> {{ "exp": 1649086879,}}
> {{ "aud": [}}
> {{ "urn:mycompany:application:foo"}}
> {{ ]}}
> {{}}}
>
> I propose to improve this logic thus both roles in tokenized string as well as a propery array list are properly parsed.
>
> Here a snippet of the debugger. The above example ends-up with two roles "[READ" and " UPDATE]".
>
> !image-2022-04-05-14-08-09-726.png!
--
This message was sent by Atlassian Jira
(v8.20.1#820001)