[
https://issues.apache.org/jira/browse/CXF-7693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16431729#comment-16431729
]
Jo Evans commented on CXF-7693:
-------------------------------
Perhaps an extension to this implementation could be to add an annotation to
the specific CXF service bean which is scanned by the JwtAuthenticationFilter
and applied i.e. @JwtResource(expectedAudience="http://server.net/myresource";)
- if it is not present, the resource is not protected by the aud claim?
> Allow JWT audience claims validation not RFC 7519 compliant
> -----------------------------------------------------------
>
> Key: CXF-7693
> URL: https://issues.apache.org/jira/browse/CXF-7693
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 3.2.4
> Reporter: Jo Evans
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Fix For: 3.1.16, 3.2.5
>
>
> Current JwtUtils.validateJwtAudienceRestriction implementation does not
> comply with the 'aud' claim specification. An 'aud' claim is optional - the
> current validation does not cater for the case when the 'aud' claim is
> optional i.e. when no aud claims are present, the processing principal should
> be allowed to process if it so chooses.
>
> Should perhaps also consider allowing explicit audiences vs wildcards i.e.
> allowing a resource to also include all its sub-resources - this would reduce
> the token size which does not scale well if the token has to contain multiple
> aud claims
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
