bharos opened a new pull request, #9734:
URL: https://github.com/apache/gravitino/pull/9734
<!--
1. Title: [#<issue>] <type>(<scope>): <subject>
Examples:
- "[#123] feat(operator): support xxx"
- "[#233] fix: check null before access result in xxx"
- "[MINOR] refactor: fix typo in variable name"
- "[MINOR] docs: fix typo in README"
- "[#255] test: fix flaky test NameOfTheTest"
Reference: https://www.conventionalcommits.org/en/v1.0.0/
2. If the PR is unfinished, please mark this PR as draft.
-->
### What changes were proposed in this pull request?
Modified `JwksTokenValidator` to use Nimbus's `acceptedAudiences` Set
parameter instead of `exactMatchClaims` for audience validation. This enables
proper RFC 7519 compliant multi-audience token support.
### Why are the changes needed?
JwksTokenValidator currently rejects valid JWT tokens that contain multiple
audiences (e.g., `["service-a", "service-b", "service-c"]`), even when the
configured service audience is present in the list. This is because the
validator uses `exactMatchClaims` which requires exact array equality rather
than "at-least-one match" semantics defined in RFC 7519.
Fix: #9733
### Does this PR introduce _any_ user-facing change?
Yes - JWT tokens with multiple audiences in the `aud` claim are now properly
validated when the configured service audience is present in the token's
audience list. Previously only single-audience tokens were supported.
### How was this patch tested?
Added `testValidateTokenWithMultipleAudiences()` that verifies:
1. Token with `["other-service", "test-service", "another-service"]`
validates successfully against `"test-service"`
2. Same token fails validation against `"incorrect-service"`
All existing OAuth authentication tests pass.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
