unwanted "upd" claim in JWT - Oracle IDCS/IAM Domains having problems

[FWiesner]

https://github.com/helidon-io/helidon/blob/84123e8caa7f6671efc396526404b2b39d0afbbf/security/jwt/src/main/java/io/helidon/security/jwt/Jwt.java#L273-L275

These lines enforce that a JWT contains the claim upd. Unfortunately it is impossible to suppress this behavior. When you look at https://docs.oracle.com/en/cloud/paas/identity-cloud/rest-api/ClientAssertion.html, you see JWTs that Oracle IDCS/IAM Domains would expect. With the lines above the request will always fail as extra/unexpected claims lead to rejection

[tomas-langer]

Currently the upn claim is always added to JWT created by Helidon. It will contain either upn claim, or preferred username, or subject (depending on what is configured when creating the JWT). We do not have support for excluding claims from the generated JWT - this could be added to the builder, but when we create a JWT from JSON, we still set it from the other claims.

What could be done:

• add a builder option "exclude claims", or "upn as configured"
• add a method to JWT to return the configured upn, instead of the "guessed one"
• when adding claims to serialized JWT, use the first option to either use the "guessed" upn or the explicitly configured one (which may not be present at all)

[manger]

This unexpected, undesirable, and undocumented addition of a "upn" claim is an unnecessary blight on an otherwise decent JWT library. "upn" is not amongst the IANA standard claims. It is not in RFC 9068 JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens.

"upn" is defined in an Eclipse proposal for using JWTs with OpenID Connect. But even there it explicitly says there are alternatives: "upn (or preferred_username or sub)".

A solution could be for Jwt.userPrincipal() to return the value of the "upn" claim if present, otherwise the "preferred_username" value if present, otherwise the "sub" value if present. And the Jwt constructors to set userPrincipal based solely on "upn".