You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2018/04/03 15:43:00 UTC

[jira] [Updated] (CXF-7693) Allow JWT audience claims validation not RFC 7519 compliant

     [ https://issues.apache.org/jira/browse/CXF-7693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh updated CXF-7693:
-------------------------------------
    Fix Version/s: 3.2.5
                   3.1.16

> Allow JWT audience claims validation not RFC 7519 compliant
> -----------------------------------------------------------
>
>                 Key: CXF-7693
>                 URL: https://issues.apache.org/jira/browse/CXF-7693
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 3.2.4
>            Reporter: Jo Evans
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>             Fix For: 3.1.16, 3.2.5
>
>
> Current JwtUtils.validateJwtAudienceRestriction implementation does not comply with the 'aud' claim specification. An 'aud' claim is optional - the current validation does not cater for the case when the 'aud' claim is optional i.e. when no aud claims are present, the processing principal should be allowed to process if it so chooses.
>  
> Should perhaps also consider allowing explicit audiences vs wildcards i.e. allowing a resource to also include all its sub-resources - this would reduce the token size which does not scale well if the token has to contain multiple aud claims



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)