Error message for unmatched claim is ambiguous
Issue #361
resolved
Debugging unmatched claims on the serverside is very confusing due to an ambiguous error message. The message currently reads as follows:
Rejected JWT: JWT "scope" claim doesn't match expected value: ["xxx.yyy:write"]
What this error message tells me is that the claim does not match an expected value of xxx.yyy:write. This is not correct, as the claim that is being verified is xxx.yyy:write, and does not refer to the expected value at all.
This had my colleagues and I going round in circles for quite some time 
I’d like to raise a PR that will improve the logging. I would suggest having a more explicit error message, like for example:
Rejected JWT: JWT "scope" claim has value ["xxx.yyy:write"] but expected ["aaa.bbb:write"]
Are there any concerns/objections to making such a change?
Comments (2)
-
reporter
-
- changed status to resolved
Thanks Marco for contributing, merged and pushed as v8.17.1
(commit 63090412aaf8)
- Log in to comment
Pull request for this issue:
https://bitbucket.org/connect2id/nimbus-jose-jwt/pull-requests/64/improve-ambiguous-jwt-claim-verification