JWT Assertion Security Concern - Missing Validation of iss and sub Claims

Slid31 — Mon, 01 Dec 2025 20:37:19 GMT

Hello Nuxeo/Hyland Community,

I've been testing JWT authentication following the Nuxeo JWT documentation (https://doc.nuxeo.com/nxdoc/using-oauth2/#configuring-nuxeo-for-jwt-access) and noticed what appears to be a security concern regarding JWT assertion validation.

Current Behavior
When generating a JWT assertion for OAuth 2.0 token exchange, I can successfully obtain an access token even when using arbitrary or invalid values for the iss (issuer) and sub (subject) claims, as long as the JWT is properly signed with the nuxeo.jwt.secret.
For example:
{
"iss": "random-issuer",
"sub": "non-existent-user"
}

When this JWT (signed with the correct secret) is used to request an access token, Nuxeo accepts it and issues a valid token.

Expected Behavior (per RFC 7523)
According to RFC 7523 Section 3, the authorization server must:

Validate that the iss claim contains a unique identifier for a trusted entity
Validate that the sub claim identifies a legitimate principal/user

Questions

Is this the intended behavior? Should Nuxeo validate the iss and sub claims against registered OAuth2 clients or existing users?
Security implications: If someone gains access to nuxeo.jwt.secret, they can generate tokens for any arbitrary subject. Is there additional validation I’m missing?
RFC 7523 compliance: Is Nuxeo’s JWT implementation intended to be fully RFC 7523 compliant, or is it a simplified version for specific use cases?

Environment

Nuxeo version: NUXEO LTS PLATFORM 2025
Authentication method: JWT Bearer Token

Any clarification on the expected security model would be greatly appreciated. Thank you!

topic JWT Assertion Security Concern - Missing Validation of iss and sub Claims in Nuxeo Forum

JWT Assertion Security Concern - Missing Validation of iss and sub Claims