eric-maynard commented on code in PR #350:
URL: https://github.com/apache/polaris/pull/350#discussion_r1811155769
##########
polaris-service/src/main/java/org/apache/polaris/service/auth/JWTBroker.java:
##########
@@ -57,35 +58,53 @@ abstract class JWTBroker implements TokenBroker {
@Override
public DecodedToken verify(String token) {
JWTVerifier verifier = JWT.require(getAlgorithm()).build();
- DecodedJWT decodedJWT = verifier.verify(token);
+ try {
+ DecodedJWT decodedJWT = verifier.verify(token);
+ validateDecodedJWT(decodedJWT);
+ return new DecodedToken() {
+ @Override
+ public Long getPrincipalId() {
+ return decodedJWT.getClaim("principalId").asLong();
+ }
+
+ @Override
+ public String getClientId() {
+ return decodedJWT.getClaim("client_id").asString();
+ }
+
+ @Override
+ public String getSub() {
+ return decodedJWT.getSubject();
+ }
+
+ @Override
+ public String getScope() {
+ return decodedJWT.getClaim("scope").asString();
+ }
+ };
+
+ } catch (JWTVerificationException e) {
+ // Token verification can fail because of following reasons
+ // AlgorithmMismatchException - if the algorithm stated in the token's
header it's not
+ // equal to the one defined in the JWTVerifier.
+ // SignatureVerificationException - if the signature is invalid.
+ // TokenExpiredException - if the token has expired.
+ // InvalidClaimException - if a claim contained a different value than
the expected one.
+ throw new NotAuthorizedException(
+ "Failed to verify the token with cause %s and reason %s",
e.getCause(), e.getMessage());
Review Comment:
+1 to adding the traceId to the error message
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
