[
https://issues.apache.org/jira/browse/CXF-8686?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh updated CXF-8686:
-------------------------------------
Fix Version/s: 3.5.2
(was: 3.5.3)
> JWT role claim incorrectly parsed if not tokenized as string
> ------------------------------------------------------------
>
> Key: CXF-8686
> URL: https://issues.apache.org/jira/browse/CXF-8686
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 3.4.6, 3.5.1
> Reporter: Oliver Wulff
> Priority: Major
> Fix For: 3.5.2, 4.0.0
>
> Attachments: image-2022-04-05-14-08-09-726.png
>
>
> The JwtTokenSecurityContext class expects a tokenized string for the role
> claim. If the JWT contains an array of strings to represent the roles the
> role claim is incorrectly parsed.
> The following line shows that it always first tokenize the array:
> [https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtTokenSecurityContext.java#L48]
> Here is a snippet of the sample JWT:
>
> {\{{}}
> {{ "sub": "myid",}}
> {{ "jti": "f42150ef-2743-4ca0-ae06-a23b307edaca",}}
> {{ "iss": "STS INT",}}
> {{ "roles": [}}
> {{ "READ",}}
> {{ "UPDATE"}}
> {{ ],}}
> {{ "iat": 1649079679,}}
> {{ "nbf": 1649079679,}}
> {{ "exp": 1649086879,}}
> {{ "aud": [}}
> {{ "urn:mycompany:application:foo"}}
> {{ ]}}
> {{}}}
>
> I propose to improve this logic thus both roles in tokenized string as well
> as a propery array list are properly parsed.
>
> Here a snippet of the debugger. The above example ends-up with two roles
> "[READ" and " UPDATE]".
>
> !image-2022-04-05-14-08-09-726.png!
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
