cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shaleen Mishra (JIRA)" <>
Subject [jira] [Commented] (CXF-7110) Inflexible jwt audience restriction validation
Date Wed, 26 Oct 2016 21:11:58 GMT


Shaleen Mishra commented on CXF-7110:

What you mention is applicable for core grant types (auth code, client cred, password, refresh
token etc.) and that is implemented in AccessTokenService.checkAudience function. There, the
check is done against the preregistered audiences of a client. However the issue i have is
with one of the extension grant types - jwt assertion grant type, where the grant handler
validates the aud parameter (which was passed in jwt body) against the current request url.

> Inflexible jwt audience restriction validation
> ----------------------------------------------
>                 Key: CXF-7110
>                 URL:
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 3.1.7
>         Environment: JVM 1.7, Ubuntu 14
>            Reporter: Shaleen Mishra
> JwtUtils.validateJwtAudienceRestriction checks the audience url matches the current request
url (from the context). This works only during development but is most likely to fail because
the actual url of the resource server may be behind the proxy or load balancer etc. e.g. The
actual request is sent to and the requester sends this string in the audience
parameter but the server actually serving the request may have a url like localhost:8080/oauth.
So the match fails. And thanks to the static util function, it can not be customized easily.

This message was sent by Atlassian JIRA

View raw message