[ 
https://issues.apache.org/jira/browse/CXF-7693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved CXF-7693.
--------------------------------------
    Resolution: Fixed

> Allow JWT audience claims validation not RFC 7519 compliant
> -----------------------------------------------------------
>
>                 Key: CXF-7693
>                 URL: https://issues.apache.org/jira/browse/CXF-7693
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 3.2.4
>            Reporter: Jo Evans
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>             Fix For: 3.1.16, 3.2.5
>
>
> Current JwtUtils.validateJwtAudienceRestriction implementation does not 
> comply with the 'aud' claim specification. An 'aud' claim is optional - the 
> current validation does not cater for the case when the 'aud' claim is 
> optional i.e. when no aud claims are present, the processing principal should 
> be allowed to process if it so chooses.
>  
> Should perhaps also consider allowing explicit audiences vs wildcards i.e. 
> allowing a resource to also include all its sub-resources - this would reduce 
> the token size which does not scale well if the token has to contain multiple 
> aud claims



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to