[
https://issues.apache.org/jira/browse/CXF-7110?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15644133#comment-15644133
]
Sergey Beryozkin commented on CXF-7110:
---------------------------------------
Sorry, I'll take my comments about the audience restriction being wrongly
asserted back, I temp got confused.
This section, https://tools.ietf.org/html/rfc7523#section-3, clearly states the
audience validation is a must and it
the audience must identify the authorization/access token service but it also
clearly supports an audience format that does not necessarily have to be the
endpoint address of the OAuth2 service.
Thus I added an option to configure a custom audience property on the grant
handler:
http://git-wip-us.apache.org/repos/asf/cxf/commit/9e9dd394
Besides supporting a non-URI format, it can also help with a case where a proxy
is interposing in front of the actual service endpoint, you'd set this property
to the endpoint address of the proxy.
> Inflexible jwt audience restriction validation
> ----------------------------------------------
>
> Key: CXF-7110
> URL: https://issues.apache.org/jira/browse/CXF-7110
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 3.1.7
> Environment: JVM 1.7, Ubuntu 14
> Reporter: Shaleen Mishra
>
> JwtUtils.validateJwtAudienceRestriction checks the audience url matches the
> current request url (from the context). This works only during development
> but is most likely to fail because the actual url of the resource server may
> be behind the proxy or load balancer etc. e.g. The actual request is sent to
> mycomany.com/oauth and the requester sends this string in the audience
> parameter but the server actually serving the request may have a url like
> localhost:8080/oauth. So the match fails. And thanks to the static util
> function, it can not be customized easily.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
