jiazhai commented on a change in pull request #6716: [Issue #6711]: add
audience verify in AuthenticationProviderToken
URL: https://github.com/apache/pulsar/pull/6716#discussion_r407209153
##########
File path:
pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderToken.java
##########
@@ -126,9 +137,40 @@ private static String validateToken(final String token)
throws AuthenticationExc
@SuppressWarnings("unchecked")
private Jwt<?, Claims> authenticateToken(final String token) throws
AuthenticationException {
try {
- return Jwts.parser()
+ Jwt<?, Claims> jwt = Jwts.parser()
.setSigningKey(validationKey)
.parse(token);
+
+ if (audienceClaim != null) {
+ if (audience == null){
+ throw new JwtException("Token Audience Claim [" +
audienceClaim
+ + "] configured, but Audience
stands for this broker not.");
+ }
+
+ Object object = jwt.getBody().get(audienceClaim);
+ if (object == null) {
+ throw new JwtException("Found null Audience in token, for
claimed field: " + audienceClaim);
Review comment:
Right. currently, the JwtException will be wrapped into a
AuthenticationException in line 174 below.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
