This is an automated email from the ASF dual-hosted git repository. btellier pushed a commit to branch 3.9.x in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 7bdb306040d2adafd36028e8c31909f54d765e59 Author: Benoit TELLIER <[email protected]> AuthorDate: Mon Jan 19 16:49:49 2026 +0100 [ENHANCEMENT] OIDC SASL only validate aud upon token verification --- .../java/org/apache/james/jwt/OidcJwtTokenVerifier.java | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcJwtTokenVerifier.java b/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcJwtTokenVerifier.java index eb3cb45805..78dd244430 100644 --- a/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcJwtTokenVerifier.java +++ b/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcJwtTokenVerifier.java @@ -21,7 +21,6 @@ package org.apache.james.jwt; import java.net.URL; import java.util.Optional; -import java.util.function.Predicate; import org.apache.james.core.Username; import org.apache.james.jwt.introspection.IntrospectionEndpoint; @@ -91,27 +90,12 @@ public class OidcJwtTokenVerifier { .flatMap(optional -> optional.map(Mono::just).orElseGet(Mono::empty)) .flatMap(claimResult -> Mono.from(CHECK_TOKEN_CLIENT.introspect(introspectionEndpoint, jwtToken)) .filter(TokenIntrospectionResponse::active) - .filter(validateAud()) .filter(tokenIntrospectionResponse -> tokenIntrospectionResponse.claimByPropertyName(oidcSASLConfiguration.getClaim()) .map(claim -> claim.equals(claimResult)) .orElse(false)) .map(activeResponse -> claimResult)); } - private Predicate<TokenIntrospectionResponse> validateAud() { - return oidcSASLConfiguration.getAud() - .map(this::validateAud) - .orElse(any -> true); - } - - private Predicate<TokenIntrospectionResponse> validateAud(String expectedAud) { - return token -> { - boolean result = token.aud().map(expectedAud::equals).orElse(false); - LOGGER.warn("Wrong aud. Expected {} got {}", expectedAud, token.aud()); - return result; - }; - } - @VisibleForTesting Publisher<String> verifyWithUserinfo(String jwtToken, URL userinfoEndpoint) { return Mono.fromCallable(() -> verifySignatureAndExtractClaim(jwtToken)) --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
