Version v5.2.0 is breaking our code about jwt HOT 11 CLOSED

I will try your suggestion above - thanks.

from jwt.

@cristaloleg thanks for the fix, it is not very intuitive for an optional header but it does work!

from jwt.

Hey, sorry for the trouble. That's an interesting case.

Can you clarify why your tokens don't have 'typ:"JWT"' ? (or another value if any)

Also https://datatracker.ietf.org/doc/html/rfc7519#section-5.1

from jwt.

Hi @cristaloleg The "typ" field in a JSON Web Token (JWT) is an optional field. According to the JWT specification (RFC 7519), it's used to specify the token type. However, it's not required, and many JWT implementations don't include it. So, maybe we should check the type only when it exists?

from jwt.

Yeah, that's another solution that came to my mind.

However, it looks very unintuitive 'cause sometimes it does a check and sometimes not.

from jwt.

Right now I see this as the simplest fix:

token, err := jwt.Parse(...) // or any other parse function from jwt
if err != nil {
    if !errors.Is(err, jwt.ErrNotJWTType) {
        // bad token data or bad signature or ...
    }
    // proper token BUT 'typ' field is not 'JWT'
}

from jwt.

Hi, I do not own the service that provides the token but as far as I can see the header only contains alg and kid.

from jwt.

Again, sorry for the trouble. I hope it didn't end up as an emergency.

Please confirm if the solution above works for you. If so, I will document that. Thanks!

from jwt.

Hi, unfortunately your suggestion does not work because the token is coming back as nil?

from jwt.

Ah, indeed, can you check this PR #148 ?

from jwt.

New minor version https://github.com/cristalhq/jwt/releases/tag/v5.3.0

from jwt.