Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8686

JWT role claim incorrectly parsed if not tokenized as string

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.4.6, 3.5.1
    • 3.5.2, 4.0.0
    • JAX-RS Security
    • None
    • Unknown

    Description

      The JwtTokenSecurityContext class expects a tokenized string for the role claim. If the JWT contains an array of strings to represent the roles the role claim is incorrectly parsed.

      The following line shows that it always first tokenize the array:

      https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtTokenSecurityContext.java#L48

      Here is a snippet of the sample JWT:

       

      {{{}}
        "sub": "myid",
        "jti": "f42150ef-2743-4ca0-ae06-a23b307edaca",
        "iss": "STS INT",
        "roles": [
          "READ",
          "UPDATE"
        ],
        "iat": 1649079679,
        "nbf": 1649079679,
        "exp": 1649086879,
        "aud": [
          "urn:mycompany:application:foo"
        ]
      }

       

      I propose to improve this logic thus both roles in tokenized string as well as a propery array list are properly parsed.

       

      Here a snippet of the debugger. The above example ends-up with two roles "[READ" and " UPDATE]".

       

      Attachments

        1. image-2022-04-05-14-08-09-726.png
          123 kB
          Oliver Wulff

        Issue Links

          links to

          Web Link GitHub Pull Request #934

          Activity

            People

              coheigea Colm O hEigeartaigh
              owulff Oliver Wulff
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: