This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch coheigea/oauth2-subject-binding in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 2ce4409fe6acea6c9df627bd231f109badff3b38 Author: Colm O hEigeartaigh <[email protected]> AuthorDate: Tue Jul 7 15:41:34 2026 +0100 Switch AbstractJwtHandler to require that the subject = the client Id by default --- .../cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java index 1a8c92a6e42..8f962334223 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java @@ -82,6 +82,13 @@ public abstract class AbstractJwtHandler extends AbstractGrantHandler { if (subject == null) { throw new OAuthServiceException(OAuthConstants.INVALID_GRANT); } + // Strict-by-default: require the assertion subject to match the authenticated client id. + // Subclasses can override this method to support a different authorization model + // (for example, trusted delegation with an explicit client-to-subject policy). + if (client != null && client.getClientId() != null + && !client.getClientId().equals(subject)) { + throw new OAuthServiceException(OAuthConstants.INVALID_GRANT); + } } public void setSupportedIssuers(Set<String> supportedIssuers) { this.supportedIssuers = supportedIssuers;
