Re: [PR] RANGER-5533:Verify JWT Issuer Claims if present [ranger]

Mon, 30 Mar 2026 21:22:34 -0700 


kumaab commented on code in PR #901:
URL: https://github.com/apache/ranger/pull/901#discussion_r3013415793


##########
ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java:
##########
@@ -290,6 +303,38 @@ protected boolean validateAudiences(final SignedJWT 
jwtToken) {
         return valid;
     }
 
+    /**
+     * Validate whether any of the accepted issuer claims is present in the 
issued
+     * token claims list for issuer. Override this method in subclasses in 
order
+     * to customize the audience validation behavior.
+     *
+     * @param jwtToken the JWT token from which the JWT issuer will be obtained
+     * @return true if an expected issuer is present, otherwise false
+     */
+    protected boolean validateIssuer(final SignedJWT jwtToken) {

Review Comment:
   Instead of adding a standalone validateIssuer() method, consider using 
Nimbus's `DefaultJWTClaimsVerifier`, which would consolidate `issuer`, 
`audience`, and `expiration` checks in one place: 
   ```java
   
   JWTClaimsSet.Builder exactMatchBuilder = new JWTClaimsSet.Builder();
   String               issuer            = config.getProperty(KEY_JWT_ISSUER);
   if (StringUtils.isNotBlank(issuer)) {
       exactMatchBuilder.issuer(issuer);
   }
   
   Set<String> acceptedAudiences = null;
   String      audiencesStr      = config.getProperty(KEY_JWT_AUDIENCES);
   if (StringUtils.isNotBlank(audiencesStr)) {
       acceptedAudiences = new 
HashSet<>(Arrays.asList(audiencesStr.split(",")));
   }
   
   claimsVerifier = new DefaultJWTClaimsVerifier<>(acceptedAudiences, 
exactMatchBuilder.build(), null, null);
   claimsVerifier.verify(jwtToken.getJWTClaimsSet(), null);
   ```
   This would replace all three of `validateExpiration()`, 
`validateAudiences()`, and the proposed `validateIssuer()` with a single, 
well-tested library call. It also gets clock skew handling for free (the 
verifier has a configurable skew, defaulting to 60 seconds).
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to