Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-7693

Allow JWT audience claims validation not RFC 7519 compliant

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.2.4
    • Fix Version/s: 3.1.16, 3.2.5
    • Component/s: JAX-RS Security
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      Current JwtUtils.validateJwtAudienceRestriction implementation does not comply with the 'aud' claim specification. An 'aud' claim is optional - the current validation does not cater for the case when the 'aud' claim is optional i.e. when no aud claims are present, the processing principal should be allowed to process if it so chooses.

       

      Should perhaps also consider allowing explicit audiences vs wildcards i.e. allowing a resource to also include all its sub-resources - this would reduce the token size which does not scale well if the token has to contain multiple aud claims

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              coheigea Colm O hEigeartaigh
              Reporter:
              jomacdoe Jo Evans

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment