Submitted JIRA ticket: https://issues.apache.org/jira/browse/SOLR-18073
On Mon, Jan 12, 2026 at 1:34 AM Tony Panza <[email protected]> wrote: > Meant to say: the bug is with non-string claims > > On Mon, Jan 12, 2026 at 1:29 AM Tony Panza <[email protected]> > wrote: > >> Hello, >> >> Shall I proceed with filing a JIRA ticket for the below issue? >> >> The claimsMatch configuration option in JWTAuthPlugin only works with >> string-valued JWT claims. When a claim configured in claimsMatch has a >> non-string value (e.g., a JSON boolean like email_verified: true), >> authentication fails with HTTP 400 "Invalid JWT" instead of matching the >> claim value. >> >> Root Cause: >> >> In JWTAuthPlugin.authenticate() (lines 575-594), the code calls >> jwtClaims.getStringClaimValue(claim) to retrieve claim values for regex >> matching: >> >> if >> (!entry.getValue().matcher(jwtClaims.getStringClaimValue(claim)).matches()) >> { >> >> When the claim is not a string (e.g., a boolean), Jose4j throws >> MalformedClaimException. This exception is caught at line 706-708 and >> returns JWT_PARSE_ERROR: >> >> } catch (MalformedClaimException e) { >> return new JWTAuthenticationResponse( >> AuthCode.JWT_PARSE_ERROR, "Malformed claim, error was: " + >> e.getMessage()); >> >> Impact: >> >> Users cannot use claimsMatch to validate common OIDC claims that are >> booleans, such as: >> - email_verified (boolean in OIDC spec) >> - Custom boolean claims from identity providers >> >> Steps to Reproduce: >> >> 1. Configure JWTAuthPlugin with: >> { >> "claimsMatch": { >> "email_verified": "true" >> } >> } >> >> 2. Send a request with a valid JWT containing "email_verified": true >> (boolean, not string) >> 3. Observe HTTP 400 with message "Invalid JWT" / "Malformed claim" >> >> Expected Behavior: >> >> The plugin should convert non-string claim values to strings before >> regex matching, allowing claimsMatch to work with boolean, numeric, and >> other JSON types. >> >> Suggested Fix: >> >> Replace getStringClaimValue(claim) with getClaimValue(claim) and >> convert the result to a string: >> Object claimValue = jwtClaims.getClaimValue(claim); >> String claimValueStr = claimValue != null ? claimValue.toString() : >> null; >> if (claimValueStr == null || >> !entry.getValue().matcher(claimValueStr).matches()) { >> >> Test Case: >> >> A unit test demonstrating this bug has been written in >> JWTAuthPluginTest.testClaimMatchWithBooleanClaim(). >> >> >> https://github.com/tpanza/solr/commit/feaee4dcc5ec392c88692bf37c206345fba6b2a1 >> >>
