iain-logan / jwt Goto Github PK

Hi,
would you be interested in PR which contains support for RS256?

An exception or error caused a run to abort: play.api.libs.json.JsArray.(Lscala/collection/Seq;)V
java.lang.NoSuchMethodError: play.api.libs.json.JsArray.(Lscala/collection/Seq;)V
at io.igl.jwt.Aud.(Claims.scala:41)
at io.igl.jwt.Aud$.apply(Claims.scala:47)
....

Hello i have used your library and i am trying to pass a Seq[String] to the aud claim but the above error appears, i have tried with play json 2.6.0.

def createTokenWithRole(userName: String, role: Seq[String]): String = { val jwt = new DecodedJwt(Seq(Alg(Algorithm.HS256), Typ("JWT")), Seq(Iss(userName), Aud(role))) jwt.encodedAndSigned(secretKey) }

using scala 2.12.3

with dependencyOverrides ++= Set("com.typesafe.play" %% "play-json" % "2.6.7")
in my sbt file it works

The current implementation does not cater for optional claims.

As a result of the exchange that occurred in #2 , the conclusion was drawn that support for optional claims is in fact desirable. As such, they will be implemented.

In the mean time, in #2 @luksow demonstrates a workaround that shows how optional claims can be achieved currently.

ES256 is one of the algorithms recommended for support by JWT implementations, it would be fantastic if we could use it here.

You will need to add play-json as a dependency to your project when using private fields. Do this by adding the below line to your build.sbt file.

libraryDependencies ++= Seq("com.typesafe.play" %% "play-json" % "2.4.0")

It seems this library is already included in your build.sbt:

libraryDependencies ++= Seq(
  "com.typesafe.play" %% "play-json" % "2.4.0",
  "commons-codec" % "commons-codec" % "1.10",
  "org.scalatest" % "scalatest_2.11" % "2.2.4" % "test"
)

Nice library btw :-)

There is a discrepancy between the encoding and decoding of JWT's when it comes to character encoding.

Encoding is always done in UTF-8, decoding however defaults to UTF-8 but can be set to other supported character encodings.

Some type that represents the character encoding to use will be created, an instance of which will be optionally provided when decoding and encoding a JWT. If no such argument is provided, we default to UTF-8.

Hi,

The method DecodedJwt.validateEncodedJwt seems to handle utf-8 characters in the token incorrectly, decoding to the default character encoding instead.

I'm not sure, but I think the private def decodeBase64 here needs a "UTF-8" argument for the new String creation.

It would be even nicer for other people to have an option of what character encoding to use. But just utf-8 would be nice enough for me.

Thank you :)

Hi,

I have problems implementing claims that are private and optional. What's preferred way of doing it?

If I put them on required list, validation fail if they're missing. If I put them on ignoredList, they don't appear in decoded token.

Thanks!

Hi, how far is the Scala 2.12 support? How can I help?

It looks like validateEncodedJwtWithEncodedSecret calls encodedSignature which ends up calling j.s.Signature.sign; this value is compared literally with the input signature value. This does not match the description of RS256 from the JWA spec:

Submit the JWS Signing Input, the JWS Signature, and the public key corresponding to the private key used by the signer to the RSASSA-PKCS1-V1_5-VERIFY algorithm using SHA-256 as the hash function.

I believe RSASSA-PKCS1-V1_5-VERIFY here corresponds to j.s.Signature.verify. The corresponding test that came with #14 should also be updated to use the public key part for verification.

The signature comparison in vulnerable to timing attacks. You need to use a constant time comparison. See http://codahale.com/a-lesson-in-timing-attacks/ for more info.

I've encounter a issue today with the library and unknown claim that is a bit related to #2 and #4.
The new Draft of JWT(https://tools.ietf.org/html/draft-ietf-oauth-amr-values-03) that came out last week add a new claim that have already been implemented by major vendor, namely auth0.

Suddenly all my api were rejecting a valid JWT token, which is not something that I would expect.

According to the specification unknown claim should be ignored (https://tools.ietf.org/html/rfc7519) :

The set of claims that a JWT must contain to be considered valid is
context dependent and is outside the scope of this specification.
Specific applications of JWTs will require implementations to
understand and process some claims in particular ways. However, in
the absence of such requirements, all claims that are not understood
by implementations MUST be ignored.

Is It something that you were aware?

This library can be used at the environment of scala 2.12.x?
When I tried to build a sample application with this lib, It can't be loaded from build.sbt file.
Is there any solution or any plan to support 2.12.x?