[ https://issues.apache.org/jira/browse/CXF-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16511301#comment-16511301 ]
Colm O hEigeartaigh commented on CXF-7760: ------------------------------------------ I think the problem is with the token itself. For example not using any CXF APIs: String part1 = "eyJraWQiOiI0cFpiZTRzaFFRR3paWEhiZUlsYkR2bUhPYzFcL0g2akg2b0JrM25VcmNaRT0iLCJhbGciOiJSUzI1NiJ9"; byte[] bytes = java.util.Base64.getDecoder().decode(part1); System.out.println(new String(bytes, StandardCharsets.UTF_8)); yields: {"kid":"4pZbe4shQQGzZXHbeIlbDvmHOc1\/H6jH6oBk3nUrcZE=","alg":"RS256"} Here you can see the forward slash in the kid is already encoded in the token. > JOSE: JwsCompactConsumer parsing headers issue > ---------------------------------------------- > > Key: CXF-7760 > URL: https://issues.apache.org/jira/browse/CXF-7760 > Project: CXF > Issue Type: Bug > Components: JAX-RS Security > Affects Versions: 3.1.13 > Reporter: Juan > Priority: Major > > When using the JwsCompactConsumer with a compact JWT whose kid contains a > slash, the json parser escapes it, which causes issues later on while > matching the kid to the one specified in the JWKS. For example: > Header: > { > "kid": "4pZbe4shQQGzZXHbeIlbDvmHOc1/H6jH6oBk3nUrcZE=", > "alg": "RS256" > } > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)