SAP / cloud-security-services-integration-library

Integration libraries and samples for authenticating users and clients bound to XSUAA authentication and authorization service or Identity authentication service.
Apache License 2.0
151 stars 135 forks source link

Token validation in JwtAudienceValidator failing unexpectedly #293

Closed newtork closed 4 years ago

newtork commented 4 years ago

Observed in version 2.5.3

The following message is logged in customer application runtime:

c.s.c.s.t.validation.ValidationResults   : Jwt token with audience [uaa, sb-resourceRequest-dev-1!b7469, resourceRequest-dev-1!b7469] is not issued for these clientIds: [sb-resourceRequest-dev-1!b7469, resourceRequest-dev-1!b7469].

I did not debug the issue, but I found the following matching source code:

image

I do not understand how the above message can be logged. From what I can tell, JwtAudienceValidator#validateDefault should return a non-null value, already in the first loop iteration. What do you think? Is there something else I should check for?

newtork commented 4 years ago

I just realized, you didn't use the lambda notation for the else statements. All else conditions are evaluated prematurely. This leads to misleading error messages.

nenaraab commented 4 years ago

hi @newtork

thanks for reporting and all the details! We also recognized and fixed it yesterday. https://github.com/SAP/cloud-security-xsuaa-integration/pull/290

The fix will be provided with version 2.7.3