bharos opened a new issue, #9733: URL: https://github.com/apache/gravitino/issues/9733
### What would you like to be improved? Currently the JWT token can only contain single audience. We can improve the JWKS token validator to support multiple audiences in token ### How should we improve? Root cause: The validator uses Nimbus's exactMatchClaims which requires exact equality of the entire audience array (https://bitbucket.org/connect2id/nimbus-jose-jwt/src/9509dc54d154a6d8835ff96639297770de2a0cbf/src/main/java/com/nimbusds/jwt/proc/DefaultJWTClaimsVerifier.java#lines-176) , rather than RFC 7519's "at-least-one" match semantics. https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3 Solution: Use the DefaultJWTClaimsVerifier constructor with the acceptedAudiences Set parameter (https://bitbucket.org/connect2id/nimbus-jose-jwt/src/9509dc54d154a6d8835ff96639297770de2a0cbf/src/main/java/com/nimbusds/jwt/proc/DefaultJWTClaimsVerifier.java#lines-204) , which properly implements RFC 7519 compliant audience validation (checking if the service's audience is present in the token's audience list). This brings JwksTokenValidator's behavior in line with StaticSignKeyValidator, which already supports multi-audience tokens correctly. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
