[ELY-2714] Attempting to read address data from an OIDC id token caus…

…es ClassCastException
wildfly-security · Jan 30, 2024 · c004e80 · c004e80
1 parent 21c8315
commit c004e80
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 2 deletions.
diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/IDToken.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/IDToken.java
@@ -20,10 +20,12 @@
 
 import static org.wildfly.security.http.oidc.ElytronMessages.log;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import jakarta.json.JsonObject;
 import jakarta.json.JsonValue;
 
-import java.util.Map;
+import java.util.HashMap;
 
 import org.jose4j.jwt.JwtClaims;
 
@@ -163,7 +165,13 @@ public AddressClaimSet getAddress() {
         if (! (addressValueAsJson instanceof JsonObject)) {
             throw log.invalidTokenClaimValue();
         }
-        return new AddressClaimSet((Map<String, String>) addressValueAsJson);
+        HashMap<String, String> result;
+        try {
+            result = new ObjectMapper().readValue(addressValueAsJson.toString(), HashMap.class);
+        } catch (JsonProcessingException e) {
+            throw log.invalidTokenClaimValue();
+        }
+        return new AddressClaimSet(result);
     }
 
     /**

diff --git a/http/oidc/src/test/java/org/wildfly/security/http/oidc/IDTokenTest.java b/http/oidc/src/test/java/org/wildfly/security/http/oidc/IDTokenTest.java
@@ -0,0 +1,56 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2024 Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package org.wildfly.security.http.oidc;
+
+import jakarta.json.Json;
+import jakarta.json.JsonObject;
+import org.jose4j.jwt.JwtClaims;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.wildfly.common.Assert.assertNotNull;
+
+/**
+ * Tests for ID Token.
+ */
+public class IDTokenTest {
+
+    @Test
+    public void testIDTokenWithAddressClaim() {
+        JwtClaims jwtClaims = new JwtClaims();
+        JsonObject jsonObject = Json.createObjectBuilder()
+                .add("address", Json.createObjectBuilder()
+                        .add("region", "US")
+                        .add("country", "New York")
+                        .add("locality", "NY")
+                        .add("postal_code", "10021"))
+                .build();
+        jwtClaims.setClaim("given_name", "Alice");
+        jwtClaims.setClaim("family_name", "Smith");
+        jwtClaims.setClaim("address", jsonObject.get("address"));
+        IDToken idToken = new IDToken(jwtClaims);
+        assertNotNull(idToken);
+        assertEquals("NY", idToken.getAddress().getLocality());
+        assertEquals("10021", idToken.getAddress().getPostalCode());
+        assertEquals("US", idToken.getAddress().getRegion());
+        assertEquals("New York", idToken.getAddress().getCountry());
+        assertEquals("Alice", idToken.getGivenName());
+        assertEquals("Smith", idToken.getFamilyName());
+    }
+}