This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch coheigea/oauth2-subject-binding
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit 2ce4409fe6acea6c9df627bd231f109badff3b38
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Tue Jul 7 15:41:34 2026 +0100

    Switch AbstractJwtHandler to require that the subject = the client Id by 
default
---
 .../cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java      | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git 
a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
 
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
index 1a8c92a6e42..8f962334223 100644
--- 
a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
+++ 
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
@@ -82,6 +82,13 @@ public abstract class AbstractJwtHandler extends 
AbstractGrantHandler {
         if (subject == null) {
             throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
         }
+        // Strict-by-default: require the assertion subject to match the 
authenticated client id.
+        // Subclasses can override this method to support a different 
authorization model
+        // (for example, trusted delegation with an explicit client-to-subject 
policy).
+        if (client != null && client.getClientId() != null
+            && !client.getClientId().equals(subject)) {
+            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
+        }
     }
     public void setSupportedIssuers(Set<String> supportedIssuers) {
         this.supportedIssuers = supportedIssuers;

Reply via email to