Merge remote-tracking branch 'origin/6.5.x'

jzheaux · jzheaux · commit 4daf089e460c · 2025-10-28T12:08:53.000-06:00
diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTypeValidator.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTypeValidator.java
@@ -72,8 +72,10 @@ public OAuth2TokenValidatorResult validate(Jwt token) {
 		if (this.allowEmpty && !StringUtils.hasText(typ)) {
 			return OAuth2TokenValidatorResult.success();
 		}
-		if (this.validTypes.contains(typ)) {
-			return OAuth2TokenValidatorResult.success();
+		for (String validType : this.validTypes) {
+			if (validType.equalsIgnoreCase(typ)) {
+				return OAuth2TokenValidatorResult.success();
+			}
 		}
 		return OAuth2TokenValidatorResult.failure(new OAuth2Error(OAuth2ErrorCodes.INVALID_TOKEN,
 				"the given typ value needs to be one of " + this.validTypes,
diff --git a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtTypeValidatorTests.java b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtTypeValidatorTests.java
@@ -44,4 +44,12 @@ void constructorWhenCustomThenEnforces() {
 		assertThat(validator.validate(jwt.build()).hasErrors()).isFalse();
 	}
 
+	@Test
+	void validateWhenTypHeaderHasDifferentCaseThenSuccess() {
+		Jwt.Builder jwt = TestJwts.jwt();
+		JwtTypeValidator validator = new JwtTypeValidator("at+jwt");
+		jwt.header(JoseHeaderNames.TYP, "AT+JWT");
+		assertThat(validator.validate(jwt.build()).hasErrors()).isFalse();
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -72,8 +72,10 @@ public OAuth2TokenValidatorResult validate(Jwt token) {`
`72`	`72`	`if (this.allowEmpty && !StringUtils.hasText(typ)) {`
`73`	`73`	`return OAuth2TokenValidatorResult.success();`
`74`	`74`	`}`
`75`		`- if (this.validTypes.contains(typ)) {`
`76`		`- return OAuth2TokenValidatorResult.success();`
	`75`	`+ for (String validType : this.validTypes) {`
	`76`	`+ if (validType.equalsIgnoreCase(typ)) {`
	`77`	`+ return OAuth2TokenValidatorResult.success();`
	`78`	`+ }`
`77`	`79`	`}`
`78`	`80`	`return OAuth2TokenValidatorResult.failure(new OAuth2Error(OAuth2ErrorCodes.INVALID_TOKEN,`
`79`	`81`	`"the given typ value needs to be one of " + this.validTypes,`
Original file line number	Diff line number	Diff line change
`@@ -44,4 +44,12 @@ void constructorWhenCustomThenEnforces() {`
`44`	`44`	`assertThat(validator.validate(jwt.build()).hasErrors()).isFalse();`
`45`	`45`	`}`
`46`	`46`
	`47`	`+ @Test`
	`48`	`+ void validateWhenTypHeaderHasDifferentCaseThenSuccess() {`
	`49`	`+ Jwt.Builder jwt = TestJwts.jwt();`
	`50`	`+ JwtTypeValidator validator = new JwtTypeValidator("at+jwt");`
	`51`	`+ jwt.header(JoseHeaderNames.TYP, "AT+JWT");`
	`52`	`+ assertThat(validator.validate(jwt.build()).hasErrors()).isFalse();`
	`53`	`+ }`
	`54`	`+`
`47`	`55`	`}`