Hello Nuxeo/Hyland Community,
I've been testing JWT authentication following the Nuxeo JWT documentation (https://doc.nuxeo.com/nxdoc/using-oauth2/#configuring-nuxeo-for-jwt-access) and noticed what appears to be a security concern regarding JWT assertion validation.
Current Behavior
When generating a JWT assertion for OAuth 2.0 token exchange, I can successfully obtain an access token even when using arbitrary or invalid values for the iss (issuer) and sub (subject) claims, as long as the JWT is properly signed with the nuxeo.jwt.secret.
For example:
{
"iss": "random-issuer",
"sub": "non-existent-user"
}
When this JWT (signed with the correct secret) is used to request an access token, Nuxeo accepts it and issues a valid token.
Expected Behavior (per RFC 7523)
According to RFC 7523 Section 3, the authorization server must:
Questions
Is this the intended behavior? Should Nuxeo validate the iss and sub claims against registered OAuth2 clients or existing users?
Security implications: If someone gains access to nuxeo.jwt.secret, they can generate tokens for any arbitrary subject. Is there additional validation I’m missing?
RFC 7523 compliance: Is Nuxeo’s JWT implementation intended to be fully RFC 7523 compliant, or is it a simplified version for specific use cases?
Environment
Any clarification on the expected security model would be greatly appreciated. Thank you!
