Skip to content

typ values should not be case-sensitive in JwtTypeValidator #18101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 28, 2025
Merged

typ values should not be case-sensitive in JwtTypeValidator #18101

merged 1 commit into from
Oct 28, 2025
+12 −2

Conversation

@namest504
Copy link
Contributor

@namest504 namest504 commented Oct 24, 2025

Fixed: #18092

The JwtTypeValidator was performing a case-sensitive check for the JWT typ header, which was a change from the behavior of the previous Nimbus JOSEObjectTypeVerifier.

This commit updates the JwtTypeValidator to be case-insensitive.
New test cases have been added to verify this change.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Oct 24, 2025
@namest504 namest504 mentioned this pull request Oct 24, 2025
Closed
@jzheaux jzheaux self-assigned this Oct 28, 2025
@jzheaux jzheaux added type: bug A general bug in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 28, 2025
@jzheaux jzheaux added this to the 7.0.0 milestone Oct 28, 2025
@jzheaux
Copy link
Contributor

jzheaux commented Oct 28, 2025

It's important that we make sure we are following specs as well as providing a reasonable migration path. Checking the JWS RFC, it states (emphasis mine):

Per RFC 2045 [RFC2045], all media type values, subtype values, and parameter names are case insensitive.

So I agree that this is a bug and can be fixed in time for the 7.0 release. Thanks for spotting it, @namest504!

@jzheaux jzheaux force-pushed the namest504/fix-case-in-JwtTypeValidator branch from 1230e77 to e06dd94 Compare October 28, 2025 17:22
@jzheaux jzheaux changed the base branch from main to 6.5.x October 28, 2025 17:37
@jzheaux jzheaux changed the title Fix sensitive case in JwtTypeValidator typ values should not be case-sensitive in JwtTypeValidator Oct 28, 2025
@jzheaux jzheaux modified the milestones: 7.0.0, 6.5.7 Oct 28, 2025
@jzheaux jzheaux merged commit 6501e97 into spring-projects:6.5.x Oct 28, 2025
17 of 19 checks passed
@jzheaux
Copy link
Contributor

jzheaux commented Oct 28, 2025
edited
Loading

Thanks, @namest504! This is now merged into 6.5.x (since that's where the bug was introduced) and main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jzheaux jzheaux

Labels

in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug

Projects

None yet

Milestone

6.5.7

Development

Successfully merging this pull request may close these issues.

JwtTypeValidator is case sensitive in 7.0-m3

3 participants

@namest504 @jzheaux @spring-projects-issues