Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unwanted "upd" claim in JWT - Oracle IDCS/IAM Domains having problems #5151

Open
FWiesner opened this issue Oct 11, 2022 · 2 comments · May be fixed by #9307 or #9640
Open

unwanted "upd" claim in JWT - Oracle IDCS/IAM Domains having problems #5151

FWiesner opened this issue Oct 11, 2022 · 2 comments · May be fixed by #9307 or #9640
Labels
2.x Issues for 2.x version branch enhancement New feature or request P4 security

Comments

@FWiesner
Copy link
Contributor

helidon/security/jwt/src/main/java/io/helidon/security/jwt/Jwt.java

Lines 273 to 275 in 84123e8

this.userPrincipal = JwtUtil.getString(payloadJson, "upn")
.or(() -> preferredUsername)
.or(() -> subject);

These lines enforce that a JWT contains the claim upd. Unfortunately it is impossible to suppress this behavior. When you look at https://docs.oracle.com/en/cloud/paas/identity-cloud/rest-api/ClientAssertion.html, you see JWTs that Oracle IDCS/IAM Domains would expect. With the lines above the request will always fail as extra/unexpected claims lead to rejection
@tomas-langer
Copy link
Member

Currently the upn claim is always added to JWT created by Helidon. It will contain either upn claim, or preferred username, or subject (depending on what is configured when creating the JWT).
We do not have support for excluding claims from the generated JWT - this could be added to the builder, but when we create a JWT from JSON, we still set it from the other claims.

What could be done:

  • add a builder option "exclude claims", or "upn as configured"
  • add a method to JWT to return the configured upn, instead of the "guessed one"
  • when adding claims to serialized JWT, use the first option to either use the "guessed" upn or the explicitly configured one (which may not be present at all)

@tomas-langer tomas-langer added enhancement New feature or request security 2.x Issues for 2.x version branch labels Oct 11, 2022
@m0mus m0mus added the P3 label Oct 13, 2022
@m0mus m0mus added P4 and removed P3 labels Oct 13, 2022
@m0mus m0mus added this to Backlog Aug 12, 2024
@m0mus m0mus moved this to Low priority in Backlog Aug 12, 2024
@manger
Copy link

manger commented Oct 1, 2024

This unexpected, undesirable, and undocumented addition of a "upn" claim is an unnecessary blight on an otherwise decent JWT library. "upn" is not amongst the IANA standard claims. It is not in RFC 9068 JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens.

"upn" is defined in an Eclipse proposal for using JWTs with OpenID Connect.
But even there it explicitly says there are alternatives: "upn (or preferred_username or sub)".

A solution could be for Jwt.userPrincipal() to return the value of the "upn" claim if present, otherwise the "preferred_username" value if present, otherwise the "sub" value if present. And the Jwt constructors to set userPrincipal based solely on "upn".

@manger manger linked a pull request Oct 1, 2024 that will close this issue
Open
Captain1653 added a commit to Captain1653/helidon that referenced this issue Jan 8, 2025
@Captain1653
4.x: UPN claim should be optional (helidon-io#5151)
039a2e7
@Captain1653 Captain1653 linked a pull request Jan 8, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2.x Issues for 2.x version branch enhancement New feature or request P4 security
Projects
Backlog
Status: Low priority
Milestone
No milestone
4 participants
@FWiesner @manger @m0mus @tomas-langer