JwtIssuerValidator handles issuer (iss) claim values as Strings and URLs
- NimbusJwtDecoder uses claim set converters: issuer claim is converted to an URL object - JwtIssuerValidator (created by JwtValidators.createDefaultWithIssuer(String)) wraps a JwtClaimValidator<String> - because of different data types, equal() is always false This change allows both Strings and URLs as values of the issuer Closes gh-9136
This commit is contained in:
parent
a362ab53bc
commit
6486857462
|
@ -16,6 +16,8 @@
|
|||
|
||||
package org.springframework.security.oauth2.jwt;
|
||||
|
||||
import java.util.function.Predicate;
|
||||
|
||||
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
|
||||
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
|
||||
import org.springframework.util.Assert;
|
||||
|
@ -28,7 +30,7 @@ import org.springframework.util.Assert;
|
|||
*/
|
||||
public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
|
||||
|
||||
private final JwtClaimValidator<String> validator;
|
||||
private final JwtClaimValidator<Object> validator;
|
||||
|
||||
/**
|
||||
* Constructs a {@link JwtIssuerValidator} using the provided parameters
|
||||
|
@ -36,7 +38,9 @@ public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
|
|||
*/
|
||||
public JwtIssuerValidator(String issuer) {
|
||||
Assert.notNull(issuer, "issuer cannot be null");
|
||||
this.validator = new JwtClaimValidator(JwtClaimNames.ISS, issuer::equals);
|
||||
|
||||
Predicate<Object> testClaimValue = (claimValue) -> (claimValue != null) && issuer.equals(claimValue.toString());
|
||||
this.validator = new JwtClaimValidator<>(JwtClaimNames.ISS, testClaimValue);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
@ -16,6 +16,9 @@
|
|||
|
||||
package org.springframework.security.oauth2.jwt;
|
||||
|
||||
import java.net.MalformedURLException;
|
||||
import java.net.URL;
|
||||
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
|
||||
|
@ -42,6 +45,13 @@ public class JwtIssuerValidatorTests {
|
|||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void validateWhenIssuerUrlMatchesThenReturnsSuccess() throws MalformedURLException {
|
||||
Jwt jwt = TestJwts.jwt().claim("iss", new URL(ISSUER)).build();
|
||||
|
||||
assertThat(this.validator.validate(jwt)).isEqualTo(OAuth2TokenValidatorResult.success());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void validateWhenIssuerMismatchesThenReturnsError() {
|
||||
Jwt jwt = TestJwts.jwt().claim(JwtClaimNames.ISS, "https://other").build();
|
||||
|
@ -49,6 +59,15 @@ public class JwtIssuerValidatorTests {
|
|||
assertThat(result.getErrors()).isNotEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void validateWhenIssuerUrlMismatchesThenReturnsError() throws MalformedURLException {
|
||||
Jwt jwt = TestJwts.jwt().claim(JwtClaimNames.ISS, new URL("https://other")).build();
|
||||
|
||||
OAuth2TokenValidatorResult result = this.validator.validate(jwt);
|
||||
|
||||
assertThat(result.getErrors()).isNotEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void validateWhenJwtHasNoIssuerThenReturnsError() {
|
||||
Jwt jwt = TestJwts.jwt().claim(JwtClaimNames.AUD, "https://aud").build();
|
||||
|
|
Loading…
Reference in New Issue