Skip to content

JOSE Validators claim mandatoriness option #17004

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
FerencKemeny opened this issue Apr 27, 2025 · 5 comments
Closed

JOSE Validators claim mandatoriness option #17004

FerencKemeny opened this issue Apr 27, 2025 · 5 comments
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: enhancement A general enhancement

Comments

@FerencKemeny
Copy link

Expected Behavior

I would like to build a control in JwtTimestampValidator, JwtIssuerValidator and JwtAudienceValidator that mandatoriness of the specific JWT clause is specified. So that a required parameter can specify the same way like it is done in JwtIssuedAtValidator.

Current Behavior

The above mentioned validators are simply falling through with successful check when the given clause is missing form JWT. This may be a misleading behavior because validator is created for a reason. However it is understandable the claims are optional by the specification - in general.

Context

I would like to create the alternative that the implementor could control if the fields must be mandatory. Currently this could be achieved by adding multiple validators. It is more elegant to specify if the given validator requires the claim and make the validation fail if the claim is missing. So this way more strict and rigorous control could be built.
@FerencKemeny FerencKemeny added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Apr 27, 2025
@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 28, 2025
@jzheaux jzheaux added this to the 7.0.x milestone Apr 28, 2025
@jzheaux
Copy link
Contributor

jzheaux commented Apr 28, 2025

Thanks for the suggestion, @FerencKemeny. I've added this to our Spring Security 7 roadmap.

@FerencKemeny FerencKemeny mentioned this issue May 2, 2025
Open
@jzheaux
Copy link
Contributor

jzheaux commented May 6, 2025

Note that JwtTypValidator has a method setAllowEmpty that may be of interest. This could be added to other validators. For backward compatibility in other vaildators, allowEmpty would be true by default.

@FerencKemeny
Copy link
Author

This could be added to other validators.

So do you mean you would like to see setAllowEmpty method implemented the same way as it is in JwtTypeValidator, instead of contructor parameters? It is true, number of JwtTimestampValidator constructors increased a bit this way. setAllowEmpty method may make it simpler.

I think this is more like code cleanness but backward compatibility. I did not change the original contructor signatures and their function.

Let me change as you suggested.

@FerencKemeny
Copy link
Author

@jzheaux Refactored with creating setAllowEmpty method.

@jzheaux
Copy link
Contributor

jzheaux commented May 7, 2025

Closing in favor of #17030

@jzheaux jzheaux closed this as completed May 7, 2025
@jzheaux jzheaux added the status: duplicate A duplicate of another issue label May 7, 2025
@jzheaux jzheaux self-assigned this May 7, 2025
@jzheaux jzheaux removed this from the 7.0.x milestone May 7, 2025
jzheaux pushed a commit to FerencKemeny/spring-security that referenced this issue May 9, 2025
@FerencKemeny @jzheaux
Polish JwtTimestampValidatorTests
5821cff 
This commit corrects the test that checks for both
nbf and exp missing. It also adds one for just exp
and on for just nbf.

Issue spring-projectsgh-17004

Signed-off-by: Ferenc Kemeny <[email protected]>
jzheaux pushed a commit to FerencKemeny/spring-security that referenced this issue May 9, 2025
@FerencKemeny @jzheaux
Support Requiring exp and nbf in JwtTimestampsValidator
36513ff 
Closes spring-projectsgh-17004

Signed-off-by: Ferenc Kemeny <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jzheaux @FerencKemeny