Skip to content

feat: Jwt -- don't force "upn" claim #9307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

feat: Jwt -- don't force "upn" claim #9307

wants to merge 1 commit into from

Conversation

@manger
Copy link

@manger manger commented Oct 1, 2024
edited
Loading

Description

Fixes #5151

Adjusts the Jwt class so that userPrincipal() returns the value of a upn, preferred_username, or sub claim in that order of preference; but the class does not automatically insert a upn claim whenever a preferred_username or sub is present. This means userPrincipal() returns a value to satisfy the Eclipse MicroProfile Interoperable JWT RBAC. But the Jwt class is still usable for use-cases beyond that very specific profile where a upn claims in not required, not desired, and may even be forbidden.

A upn claim can still be set.

Unit tests are added to confirm that Jwt.userPrincipal() falls back to sub if upn is absent; and to confirm that upn is no longer automatically (and unexpectedly) added just because sub is set.

All the existing unit tests still pass.

Documentation

The javadoc for Jwt.userPrincipal() and Jwt.Builder.userPrincipal(String) is adjusted.

@oracle-contributor-agreement
Copy link

oracle-contributor-agreement bot commented Oct 1, 2024

Thank you for your pull request and welcome to our community! To contribute, please sign the Oracle Contributor Agreement (OCA).
The following contributors of this PR have not signed the OCA:

To sign the OCA, please create an Oracle account and sign the OCA in Oracle's Contributor Agreement Application.

When signing the OCA, please provide your GitHub username. After signing the OCA and getting an OCA approval from Oracle, this PR will be automatically updated.

If you are an Oracle employee, please make sure that you are a member of the main Oracle GitHub organization, and your membership in this organization is public.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Required At least one contributor does not have an approved Oracle Contributor Agreement. label Oct 1, 2024
@romain-grecourt
Copy link
Contributor

romain-grecourt commented Oct 17, 2024
edited
Loading

@manger Do you intend on signing the contributor agreement ?

@manger
Copy link
Author

manger commented Oct 17, 2024

Yes, I intend to sign the contributor agreement. Just need to navigate the org processes to do so.

@Captain1653
Copy link
Contributor

Captain1653 commented Jan 5, 2025

I can create PR with these changes from my account if it's still needed. Can I do it?

@manger
Copy link
Author

manger commented Jan 6, 2025

Yes, please do that.
I would still like to sign the contributor agreement but the process has been delayed with got complications. Please fix the issue without this specific PR.

@Captain1653 Captain1653 mentioned this pull request Jan 8, 2025
Open
@Captain1653
Copy link
Contributor

Captain1653 commented Jan 8, 2025

@manger FYI #9640 .

Don't hesitate to write your comments/suggestions :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

OCA Required At least one contributor does not have an approved Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

unwanted "upd" claim in JWT - Oracle IDCS/IAM Domains having problems

4 participants

@manger @romain-grecourt @Captain1653 @c799878