[jira] [Updated] (CXF-7693) Allow JWT audience claims validation not RFC 7519 compliant

Fri, 30 Mar 2018 05:18:37 -0700 

     [ 
https://issues.apache.org/jira/browse/CXF-7693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jo Evans updated CXF-7693:
--------------------------
    Description: 
Current JwtUtils.validateJwtAudienceRestriction implementation does not comply 
with the 'aud' claim specification. An 'aud' claim is optional - the current 
validation does not cater for the case when the 'aud' claim is optional i.e. 
when no aud claims are present, the processing principal should be allowed to 
process if it so chooses.

 

Should perhaps also consider allowing explicit audiences vs wildcards i.e. 
allowing a resource to also include all its sub-resources - this would reduce 
the token size which does not scale well if the token has to contain multiple 
aud claims

  was:Current JwtUtils.validateJwtAudienceRestriction implementation does not 
comply with the 'aud' claim specification. An 'aud' claim is optional - the 
current validation does not cater for the case when the 'aud' claim is optional 
i.e. when no aud claims are present, the processing principal should be allowed 
to process if it so chooses.


> Allow JWT audience claims validation not RFC 7519 compliant
> -----------------------------------------------------------
>
>                 Key: CXF-7693
>                 URL: https://issues.apache.org/jira/browse/CXF-7693
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 3.2.4
>            Reporter: Jo Evans
>            Priority: Major
>
> Current JwtUtils.validateJwtAudienceRestriction implementation does not 
> comply with the 'aud' claim specification. An 'aud' claim is optional - the 
> current validation does not cater for the case when the 'aud' claim is 
> optional i.e. when no aud claims are present, the processing principal should 
> be allowed to process if it so chooses.
>  
> Should perhaps also consider allowing explicit audiences vs wildcards i.e. 
> allowing a resource to also include all its sub-resources - this would reduce 
> the token size which does not scale well if the token has to contain multiple 
> aud claims



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to