[ELY-2714] Attempting to read address data from an OIDC id token caus…

…es ClassCastException
wildfly-security · Jan 30, 2024 · e0040e5 · e0040e5
1 parent 21c8315
commit e0040e5
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 2 deletions.
diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/IDToken.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/IDToken.java
@@ -20,10 +20,12 @@
 
 import static org.wildfly.security.http.oidc.ElytronMessages.log;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import jakarta.json.JsonObject;
 import jakarta.json.JsonValue;
 
-import java.util.Map;
+import java.util.HashMap;
 
 import org.jose4j.jwt.JwtClaims;
 
@@ -163,7 +165,13 @@ public AddressClaimSet getAddress() {
         if (! (addressValueAsJson instanceof JsonObject)) {
             throw log.invalidTokenClaimValue();
         }
-        return new AddressClaimSet((Map<String, String>) addressValueAsJson);
+        HashMap<String, String> result;
+        try {
+            result = new ObjectMapper().readValue(addressValueAsJson.toString(), HashMap.class);
+        } catch (JsonProcessingException e) {
+            throw log.invalidTokenClaimValue();
+        }
+        return new AddressClaimSet(result);
     }
 
     /**

diff --git a/http/oidc/src/test/java/org/wildfly/security/http/oidc/IDTokenTest.java b/http/oidc/src/test/java/org/wildfly/security/http/oidc/IDTokenTest.java
@@ -0,0 +1,35 @@
+package org.wildfly.security.http.oidc;
+
+import jakarta.json.Json;
+import jakarta.json.JsonObject;
+import org.jose4j.jwt.JwtClaims;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.wildfly.common.Assert.assertNotNull;
+
+public class IDTokenTest {
+
+    @Test
+    public void testIDTokenWithAddressClaim() {
+        JwtClaims jwtClaims = new JwtClaims();
+        JsonObject jsonObject = Json.createObjectBuilder()
+                .add("address", Json.createObjectBuilder()
+                        .add("region", "US")
+                        .add("country", "New York")
+                        .add("locality", "NY")
+                        .add("postal_code", "10021"))
+                .build();
+        jwtClaims.setClaim("given_name", "Alice");
+        jwtClaims.setClaim("family_name", "Smith");
+        jwtClaims.setClaim("address", jsonObject.get("address"));
+        IDToken idToken = new IDToken(jwtClaims);
+        assertNotNull(idToken);
+        assertEquals("NY", idToken.getAddress().getLocality());
+        assertEquals("10021", idToken.getAddress().getPostalCode());
+        assertEquals("US", idToken.getAddress().getRegion());
+        assertEquals("New York", idToken.getAddress().getCountry());
+        assertEquals("Alice", idToken.getGivenName());
+        assertEquals("Smith", idToken.getFamilyName());
+    }
+}