chibenwa commented on code in PR #2744:
URL: https://github.com/apache/james-project/pull/2744#discussion_r2167466513


##########
server/protocols/jwt/src/main/java/org/apache/james/jwt/JwtTokenVerifier.java:
##########
@@ -82,22 +121,28 @@ public Optional<String> verifyAndExtractLogin(String 
token) {
     }
 
     public <T> Optional<T> verifyAndExtractClaim(String token, String 
claimName, Class<T> returnType) {
-        return jwtParsers.stream()
-            .flatMap(parser -> verifyAndExtractClaim(token, claimName, 
returnType, parser).stream())
-            .findFirst();
+        try {
+            // if the token contains a kid, verify only with the corresponding 
key (or fail)
+            return verifyAndExtractClaim(token, claimName, returnType, 
kidJwtParser);
+        } catch (NullPointerException npe) { // our own key locator throws NPE 
when there is no kid
+            // if token does not specify kid, fallback to trying all keys
+            return jwtParsers.stream()
+                .flatMap(parser -> verifyAndExtractClaim(token, claimName, 
returnType, parser).stream())
+                .findFirst();
+        }
     }
 
     private <T> Optional<T> verifyAndExtractClaim(String token, String 
claimName, Class<T> returnType, JwtParser parser) {
         try {
-            Jws<Claims> jws = parser.parseClaimsJws(token);
+            Jws<Claims> jws = parser.parseSignedClaims(token);
             T claim = jws
-                .getBody()
+                .getPayload()
                 .get(claimName, returnType);
             if (claim == null) {
                 throw new MalformedJwtException("'" + claimName + "' field in 
token is mandatory");
             }
             return Optional.of(claim);
-        } catch (JwtException e) {
+        } catch (JwtException e) { // also if kid was given but our locator 
didn't find the corresponding key

Review Comment:
   DO we have a way to get this handled separately so that we get a meaningful 
exception when "kid was given but our locator didn't find the corresponding 
key" ?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org
For additional commands, e-mail: notifications-h...@james.apache.org

Reply via email to