Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recommend getting the sub claim to guarantee uniqueness in the JsonWebToken.getName JavaDocs #332

Merged
merged 1 commit into from
May 20, 2024
Merged

Recommend getting the sub claim to guarantee uniqueness in the JsonWebToken.getName JavaDocs #332

merged 1 commit into from
May 20, 2024

Conversation

sberyozkin
Copy link
Contributor

@sberyozkin sberyozkin commented Apr 11, 2024
edited
Loading

My colleague spotted the problem, preferred_username is not unique, while JsonWebToken#getName talks about uniqueness.

This PR gently warns users that if they really need a unique principal identifier they should get a subject claim.
Ideally we'd remove any explicit mentioning of preferred_username - but it is hard to do right without possibly breaking a lot of user applications. May be in some basic cases it can be unique, but definitely not in the OIDC space

CC @ayoho

@sberyozkin sberyozkin added this to the MPJWT-2.2 milestone Apr 11, 2024
@sberyozkin sberyozkin requested a review from Emily-Jiang April 11, 2024 14:27
@sberyozkin sberyozkin changed the title Recommend getting the sub claim to guarantee uniquencess in the JsonWebToken.getName JavaDocs Recommend getting the sub claim to guarantee uniqueness in the JsonWebToken.getName JavaDocs Apr 11, 2024
@sberyozkin sberyozkin requested a review from starksm64 May 7, 2024 10:19
@sberyozkin sberyozkin merged commit 320ee3a into eclipse:main May 20, 2024
3 checks passed
@sberyozkin sberyozkin deleted the preferred_username_not_unique branch May 20, 2024 15:31
ayoho
ayoho reviewed May 20, 2024
View reviewed changes
api/src/main/java/org/eclipse/microprofile/jwt/JsonWebToken.java
Comment on lines +34 to +35
* Returns the unique name of this principal. The upn claim is checked first, the preferred_username claim is
* checked next, and finally, the sub claim is checked. Note that for guaranteed interoperability a upn claim should
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should consider adding a test in the TCK for this. Unless there's already one in there that I missed while looking just now.

@sberyozkin sberyozkin mentioned this pull request May 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ayoho ayoho ayoho left review comments

@starksm64 starksm64 starksm64 approved these changes

@Emily-Jiang Emily-Jiang Awaiting requested review from Emily-Jiang

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
MPJWT-2.2
Development

Successfully merging this pull request may close these issues.
3 participants
@sberyozkin @starksm64 @ayoho