fix(jans-auth-server): put in access_token and id_token jwt only explicitly requested and allowed claims by yuriyz · Pull Request #12848 · JanssenProject/jans (original) (raw)

45-45: Good use of null-safe boolean utility.

Adding BooleanUtils for null-safe boolean checks at line 337 follows best practices and prevents potential NPEs when accessing configuration values.

224-224: LGTM! Improved variable scoping.

Moving the User user declaration inside the processing block tightens scope and improves code clarity, as the variable is only used within this context.

274-275: LGTM! Method calls properly gated and parameterized.

The method calls for setting claims from JWT authorization request and requested claims are now:

1. Properly gated within the existing includeIdTokenClaims check
2. Receive necessary client and scopes parameters for authorization validation

This implements defense-in-depth for claim inclusion.

334-339: LGTM! Proper gating mechanism for claim inclusion.

The updated method signature adds necessary parameters (client, scopes) for authorization validation, and the early guard ensures requested claims are not processed unless explicitly enabled via includeRequestedClaimsInIdToken. This is the primary defense against the PII leakage issue in #12839.

349-349: LGTM! Critical authorization validation added.

The validation check ensures that requested claims are only included if they are:

1. Present in the client's allowed claims, OR
2. Part of an authorized scope

This addresses the core security issue where claims were being included without verifying client authorization, as described in issue #12839.

353-353: LGTM! Safe trace logging for debugging.

The trace logs only include claim names (e.g., "email", "profile"), not the actual attribute values, which could contain PII. This provides useful debugging information while maintaining privacy and security.

Also applies to: 402-402