Handle JWT checks with namespaced service tokens

http/handler.go

@@ -696,10 +696,17 @@ func requestAuth(core *vault.Core, r *http.Request, req *logical.Request) (*logi
 		// Also attach the accessor if we have it. This doesn't fail if it
 		// doesn't exist because the request may be to an unauthenticated
 		// endpoint/login endpoint where a bad current token doesn't matter, or
-		// a token from a Vault version pre-accessors.
+		// a token from a Vault version pre-accessors. We ignore errors for
+		// JWTs.
 		te, err := core.LookupToken(r.Context(), token)
-		if err != nil && strings.Count(token, ".") != 2 {
-			return req, err
+		if err != nil {
+			dotCount := strings.Count(token, ".")
+			// If we have two dots but the second char is a dot it's a vault
+			// token of the form s.SOMETHING.nsid, not a JWT
+			if dotCount != 2 ||
+				dotCount == 2 && token[1] == '.' {
+				return req, err
+			}
 		}
 		if err == nil && te != nil {
 			req.ClientTokenAccessor = te.Accessor

vault/wrapping.go

@@ -333,8 +333,12 @@ func (c *Core) ValidateWrappingToken(ctx context.Context, req *logical.Request)
 	}
 
 	// Check for it being a JWT. If it is, and it is valid, we extract the
-	// internal client token from it and use that during lookup.
-	if strings.Count(token, ".") == 2 {
+	// internal client token from it and use that during lookup. The second
+	// check is a quick check to verify that we don't consider a namespaced
+	// token to be a JWT -- namespaced tokens have two dots too, but Vault
+	// token types (for now at least) begin with a letter representing a type
+	// and then a dot.
+	if strings.Count(token, ".") == 2 && token[1] != '.' {
 		// Implement the jose library way
 		parsedJWT, err := squarejwt.ParseSigned(token)
 		if err != nil {