Oliver Wulff created CXF-8686:
---------------------------------

             Summary: JWT role claim incorrectly parsed if not tokenized as 
string
                 Key: CXF-8686
                 URL: https://issues.apache.org/jira/browse/CXF-8686
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS Security
    Affects Versions: 3.5.1, 3.4.6
            Reporter: Oliver Wulff
             Fix For: 3.5.2, 4.0.0


The JwtTokenSecurityContext class expects a tokenized string for the role 
claim. If the JWT contains an array of strings to represent the roles the role 
claim is incorrectly parsed.

The following line shows that it always first tokenize the array:

https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtTokenSecurityContext.java#L48

Here is a snippet of the sample JWT:
{quote}{   "sub": "myid",   "jti": "f42150ef-2743-4ca0-ae06-a23b307edaca",   
"iss": "STS INT",   "roles": [     "READ",     "UPDATE"   ],   "iat": 
1649079679,   "nbf": 1649079679,   "exp": 1649086879,   "aud": [     
"urn:application:myapi"   ] }
{quote}
 

I propose to improve this logic thus both roles in tokenized string as well as 
a propery array list are properly parsed.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to