diff --git a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java index 43757c0268..298fb37bdd 100644 --- a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java +++ b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java @@ -24,7 +24,6 @@ import io.jsonwebtoken.Claims; import io.jsonwebtoken.JwtParser; import io.jsonwebtoken.security.WeakKeyException; -import org.apache.commons.lang3.ObjectUtils; import org.apache.hc.core5.http.HttpHeaders; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; @@ -81,24 +80,19 @@ private JwtParser initParser(final String signingKey) { } private List extractSecurityRolesFromClaims(Claims claims) { - Object rolesObject = ObjectUtils.firstNonNull(claims.get("er"), claims.get("dr")); - List roles; - - if (rolesObject == null) { - log.warn("This is a malformed On-behalf-of Token"); - roles = List.of(); + Object er = claims.get("er"); + Object dr = claims.get("dr"); + String rolesClaim = ""; + + if (er != null) { + rolesClaim = EncryptionDecryptionUtil.decrypt(encryptionKey, er.toString()); + } else if (dr != null) { + rolesClaim = dr.toString(); } else { - final String rolesClaim = rolesObject.toString(); - - // Extracting roles based on the compatbility mode - String decryptedRoles = rolesClaim; - if (rolesObject == claims.get("er")) { - decryptedRoles = EncryptionDecryptionUtil.decrypt(encryptionKey, rolesClaim); - } - roles = Arrays.stream(decryptedRoles.split(",")).map(String::trim).collect(Collectors.toList()); + log.warn("This is a malformed On-behalf-of Token"); } - return roles; + return Arrays.stream(rolesClaim.split(",")).map(String::trim).filter(s -> !s.isEmpty()).collect(Collectors.toUnmodifiableList()); } private String[] extractBackendRolesFromClaims(Claims claims) {