Re: Bug with Solr JWT module for non-Boolean claims

Mon, 12 Jan 2026 01:34:53 -0800 

Meant to say: the bug is with non-string claims

On Mon, Jan 12, 2026 at 1:29 AM Tony Panza <[email protected]> wrote:

> Hello,
>
> Shall I proceed with filing a JIRA ticket for the below issue?
>
> The claimsMatch configuration option in JWTAuthPlugin only works with
> string-valued JWT claims. When a claim configured in claimsMatch has a
> non-string value (e.g., a JSON boolean like email_verified: true),
> authentication fails with HTTP 400 "Invalid JWT" instead of matching the
> claim value.
>
>   Root Cause:
>
>   In JWTAuthPlugin.authenticate() (lines 575-594), the code calls
> jwtClaims.getStringClaimValue(claim) to retrieve claim values for regex
> matching:
>
>   if
> (!entry.getValue().matcher(jwtClaims.getStringClaimValue(claim)).matches())
> {
>
>   When the claim is not a string (e.g., a boolean), Jose4j throws
> MalformedClaimException. This exception is caught at line 706-708 and
> returns JWT_PARSE_ERROR:
>
>   } catch (MalformedClaimException e) {
>     return new JWTAuthenticationResponse(
>         AuthCode.JWT_PARSE_ERROR, "Malformed claim, error was: " +
> e.getMessage());
>
>   Impact:
>
>   Users cannot use claimsMatch to validate common OIDC claims that are
> booleans, such as:
>   - email_verified (boolean in OIDC spec)
>   - Custom boolean claims from identity providers
>
>   Steps to Reproduce:
>
>   1. Configure JWTAuthPlugin with:
>   {
>     "claimsMatch": {
>       "email_verified": "true"
>     }
>   }
>
>   2. Send a request with a valid JWT containing "email_verified": true
> (boolean, not string)
>   3. Observe HTTP 400 with message "Invalid JWT" / "Malformed claim"
>
>   Expected Behavior:
>
>   The plugin should convert non-string claim values to strings before
> regex matching, allowing claimsMatch to work with boolean, numeric, and
> other JSON types.
>
>   Suggested Fix:
>
>   Replace getStringClaimValue(claim) with getClaimValue(claim) and convert
> the result to a string:
>   Object claimValue = jwtClaims.getClaimValue(claim);
>   String claimValueStr = claimValue != null ? claimValue.toString() : null;
>   if (claimValueStr == null ||
> !entry.getValue().matcher(claimValueStr).matches()) {
>
>   Test Case:
>
>   A unit test demonstrating this bug has been written in
> JWTAuthPluginTest.testClaimMatchWithBooleanClaim().
>
>
> https://github.com/tpanza/solr/commit/feaee4dcc5ec392c88692bf37c206345fba6b2a1
>
>

Reply via email to