chibenwa commented on code in PR #2744: URL: https://github.com/apache/james-project/pull/2744#discussion_r2167466513
########## server/protocols/jwt/src/main/java/org/apache/james/jwt/JwtTokenVerifier.java: ########## @@ -82,22 +121,28 @@ public Optional<String> verifyAndExtractLogin(String token) { } public <T> Optional<T> verifyAndExtractClaim(String token, String claimName, Class<T> returnType) { - return jwtParsers.stream() - .flatMap(parser -> verifyAndExtractClaim(token, claimName, returnType, parser).stream()) - .findFirst(); + try { + // if the token contains a kid, verify only with the corresponding key (or fail) + return verifyAndExtractClaim(token, claimName, returnType, kidJwtParser); + } catch (NullPointerException npe) { // our own key locator throws NPE when there is no kid + // if token does not specify kid, fallback to trying all keys + return jwtParsers.stream() + .flatMap(parser -> verifyAndExtractClaim(token, claimName, returnType, parser).stream()) + .findFirst(); + } } private <T> Optional<T> verifyAndExtractClaim(String token, String claimName, Class<T> returnType, JwtParser parser) { try { - Jws<Claims> jws = parser.parseClaimsJws(token); + Jws<Claims> jws = parser.parseSignedClaims(token); T claim = jws - .getBody() + .getPayload() .get(claimName, returnType); if (claim == null) { throw new MalformedJwtException("'" + claimName + "' field in token is mandatory"); } return Optional.of(claim); - } catch (JwtException e) { + } catch (JwtException e) { // also if kid was given but our locator didn't find the corresponding key Review Comment: DO we have a way to get this handled separately so that we get a meaningful exception when "kid was given but our locator didn't find the corresponding key" ? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org For additional commands, e-mail: notifications-h...@james.apache.org