Thanks a lot for the bug report and failing test, please see PR linked to the JIRA :)
Jan > 14. jan. 2026 kl. 07:15 skrev Tony Panza <[email protected]>: > > Submitted JIRA ticket: https://issues.apache.org/jira/browse/SOLR-18073 > > On Mon, Jan 12, 2026 at 1:34 AM Tony Panza <[email protected]> wrote: > >> Meant to say: the bug is with non-string claims >> >> On Mon, Jan 12, 2026 at 1:29 AM Tony Panza <[email protected]> >> wrote: >> >>> Hello, >>> >>> Shall I proceed with filing a JIRA ticket for the below issue? >>> >>> The claimsMatch configuration option in JWTAuthPlugin only works with >>> string-valued JWT claims. When a claim configured in claimsMatch has a >>> non-string value (e.g., a JSON boolean like email_verified: true), >>> authentication fails with HTTP 400 "Invalid JWT" instead of matching the >>> claim value. >>> >>> Root Cause: >>> >>> In JWTAuthPlugin.authenticate() (lines 575-594), the code calls >>> jwtClaims.getStringClaimValue(claim) to retrieve claim values for regex >>> matching: >>> >>> if >>> (!entry.getValue().matcher(jwtClaims.getStringClaimValue(claim)).matches()) >>> { >>> >>> When the claim is not a string (e.g., a boolean), Jose4j throws >>> MalformedClaimException. This exception is caught at line 706-708 and >>> returns JWT_PARSE_ERROR: >>> >>> } catch (MalformedClaimException e) { >>> return new JWTAuthenticationResponse( >>> AuthCode.JWT_PARSE_ERROR, "Malformed claim, error was: " + >>> e.getMessage()); >>> >>> Impact: >>> >>> Users cannot use claimsMatch to validate common OIDC claims that are >>> booleans, such as: >>> - email_verified (boolean in OIDC spec) >>> - Custom boolean claims from identity providers >>> >>> Steps to Reproduce: >>> >>> 1. Configure JWTAuthPlugin with: >>> { >>> "claimsMatch": { >>> "email_verified": "true" >>> } >>> } >>> >>> 2. Send a request with a valid JWT containing "email_verified": true >>> (boolean, not string) >>> 3. Observe HTTP 400 with message "Invalid JWT" / "Malformed claim" >>> >>> Expected Behavior: >>> >>> The plugin should convert non-string claim values to strings before >>> regex matching, allowing claimsMatch to work with boolean, numeric, and >>> other JSON types. >>> >>> Suggested Fix: >>> >>> Replace getStringClaimValue(claim) with getClaimValue(claim) and >>> convert the result to a string: >>> Object claimValue = jwtClaims.getClaimValue(claim); >>> String claimValueStr = claimValue != null ? claimValue.toString() : >>> null; >>> if (claimValueStr == null || >>> !entry.getValue().matcher(claimValueStr).matches()) { >>> >>> Test Case: >>> >>> A unit test demonstrating this bug has been written in >>> JWTAuthPluginTest.testClaimMatchWithBooleanClaim(). >>> >>> >>> https://github.com/tpanza/solr/commit/feaee4dcc5ec392c88692bf37c206345fba6b2a1 >>> >>> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
