iain-logan / jwt Goto Github PK
View Code? Open in Web Editor NEWA Scala implementation of the JWT specification
License: MIT License
A Scala implementation of the JWT specification
License: MIT License
Hi,
would you be interested in PR which contains support for RS256?
An exception or error caused a run to abort: play.api.libs.json.JsArray.(Lscala/collection/Seq;)V
java.lang.NoSuchMethodError: play.api.libs.json.JsArray.(Lscala/collection/Seq;)V
at io.igl.jwt.Aud.(Claims.scala:41)
at io.igl.jwt.Aud$.apply(Claims.scala:47)
....
Hello i have used your library and i am trying to pass a Seq[String] to the aud claim but the above error appears, i have tried with play json 2.6.0.
def createTokenWithRole(userName: String, role: Seq[String]): String = { val jwt = new DecodedJwt(Seq(Alg(Algorithm.HS256), Typ("JWT")), Seq(Iss(userName), Aud(role))) jwt.encodedAndSigned(secretKey) }
using scala 2.12.3
with dependencyOverrides ++= Set("com.typesafe.play" %% "play-json" % "2.6.7")
in my sbt file it works
The current implementation does not cater for optional claims.
As a result of the exchange that occurred in #2 , the conclusion was drawn that support for optional claims is in fact desirable. As such, they will be implemented.
In the mean time, in #2 @luksow demonstrates a workaround that shows how optional claims can be achieved currently.
ES256 is one of the algorithms recommended for support by JWT implementations, it would be fantastic if we could use it here.
You will need to add
play-json
as a dependency to your project when using private fields. Do this by adding the below line to yourbuild.sbt
file.
libraryDependencies ++= Seq("com.typesafe.play" %% "play-json" % "2.4.0")
It seems this library is already included in your build.sbt
:
libraryDependencies ++= Seq(
"com.typesafe.play" %% "play-json" % "2.4.0",
"commons-codec" % "commons-codec" % "1.10",
"org.scalatest" % "scalatest_2.11" % "2.2.4" % "test"
)
Nice library btw :-)
There is a discrepancy between the encoding and decoding of JWT's when it comes to character encoding.
Encoding is always done in UTF-8, decoding however defaults to UTF-8 but can be set to other supported character encodings.
Some type that represents the character encoding to use will be created, an instance of which will be optionally provided when decoding and encoding a JWT. If no such argument is provided, we default to UTF-8.
Hi,
The method DecodedJwt.validateEncodedJwt
seems to handle utf-8 characters in the token incorrectly, decoding to the default character encoding instead.
I'm not sure, but I think the private def decodeBase64
here needs a "UTF-8"
argument for the new String
creation.
It would be even nicer for other people to have an option of what character encoding to use. But just utf-8 would be nice enough for me.
Thank you :)
Hi,
I have problems implementing claims that are private and optional. What's preferred way of doing it?
If I put them on required list, validation fail if they're missing. If I put them on ignoredList, they don't appear in decoded token.
Thanks!
Hi, how far is the Scala 2.12 support? How can I help?
It looks like validateEncodedJwtWithEncodedSecret
calls encodedSignature
which ends up calling j.s.Signature.sign
; this value is compared literally with the input signature value. This does not match the description of RS256
from the JWA spec:
Submit the JWS Signing Input, the JWS Signature, and the public key corresponding to the private key used by the signer to the RSASSA-PKCS1-V1_5-VERIFY algorithm using SHA-256 as the hash function.
I believe RSASSA-PKCS1-V1_5-VERIFY
here corresponds to j.s.Signature.verify
. The corresponding test that came with #14 should also be updated to use the public key part for verification.
The signature comparison in vulnerable to timing attacks. You need to use a constant time comparison. See http://codahale.com/a-lesson-in-timing-attacks/ for more info.
I've encounter a issue today with the library and unknown claim that is a bit related to #2 and #4.
The new Draft of JWT(https://tools.ietf.org/html/draft-ietf-oauth-amr-values-03) that came out last week add a new claim that have already been implemented by major vendor, namely auth0.
Suddenly all my api were rejecting a valid JWT token, which is not something that I would expect.
According to the specification unknown claim should be ignored (https://tools.ietf.org/html/rfc7519) :
The set of claims that a JWT must contain to be considered valid is
context dependent and is outside the scope of this specification.
Specific applications of JWTs will require implementations to
understand and process some claims in particular ways. However, in
the absence of such requirements, all claims that are not understood
by implementations MUST be ignored.
Is It something that you were aware?
This library can be used at the environment of scala 2.12.x?
When I tried to build a sample application with this lib, It can't be loaded from build.sbt file.
Is there any solution or any plan to support 2.12.x?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.