Comments (11)
Can you please provide sample code when this is the case in your application?
from ruby-jwt.
The same here. Basically I'm doing this:
token = OAuth2Client.auth_code.get_token(params[:code], redirect_uri: 'https://domain.tld/oauth2callback')
JWT.decode(token['id_token'], nil, false)
from ruby-jwt.
@ojab whether your token['id_token'] include iss ?
example_payload = {"hello" => "world"}
example_secret = 'secret'
jwt = JWT.encode(example_payload, example_secret)
JWT.decode(jwt, example_secret)
=> [{"hello"=>"world"}, {"typ"=>"JWT", "alg"=>"HS256"}]
example_payload = {"hello" => "world", "iss" => 'token'}
jwt = JWT.encode(example_payload, example_secret)
JWT.decode(jwt, example_secret) #=> JWT::InvalidIssuerError: Invalid issuer
source code:
if options[:verify_iss] && payload.include?('iss')
raise JWT::InvalidIssuerError.new("Invalid issuer. Expected #{options['iss']}, received #{payload['iss']}") unless payload['iss'].to_s == options['iss'].to_s
end
from ruby-jwt.
@ojab @k1w1 It's a bug. Thanks for reporting.
If verify is set to false the token will still be validated when iss is present in the payload.
My test code:
token = JWT.encode({iss: 'test_me', id: 1}, 'password')
puts token
begin
puts JWT.decode token, 'password'
rescue => e
puts 'I wont work - you didnt tell me the original issuer who created that token.'
puts e.inspect
end
begin
puts JWT.decode token, 'password', true, {'iss' => 'test_me'}
puts 'I work because you told me who the original issuer is to validate against.'
rescue => e
puts e.inspect
end
# this will raise an exception
# <JWT::InvalidIssuerError: Invalid issuer. Expected , received test_me>
begin
puts JWT.decode token, 'password', false
puts 'I should work because I dont care if my values are okay.'
rescue => e
# BUT I DONT WORK!
puts e.inspect
end
I think we should set the default option to the verify value when you call decode.
verify = false
JWT.decode my_token, my_password, verify
JWT.decode should set all default_options to false but by default they are always set to true. This causes the crashes.
You can enable specific verifications using the options parameter in the JWT.decode method.
verify = false
options = {iss: 'my_issuer', verify_iss: true}
JWT.decode my_token, my_password, verify, options
This should be the correct way.
@k1w1 and @ojab have to change just a line of code.
Old:
JWT.decode token, password
New:
JWT.decode token, password, false
That should to the trick when the fix is implemented.
from ruby-jwt.
I'm unconvinced that the verification method is actually correct per the spec.
https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.1 states that "The processing of this claim is generally application specific.", so likely not a good candidate for implementing in a library in this way.
Take, for example, the case where the issuer may be one of thousands of possible issuers, where e.g. the issuer might be an individual user or third party client systems. In that case, application may choose to allow any of the authorized list of issuers. In the current implementation, it would be incumbent upon the application to first interrogate the token, then confirm that it is in the 'allowed list', then pass that value back in to the decoder to do a string match, essentially making the additional check in this library redundant.
An alternative implementation that might work more generally (and be in line with the spec) would be to simply verify that the claim exists and has a valid value (is a string) and pass the value to a callback provided by the application to validate the value.
There is a similar issue with the current verification of the sub claim.
from ruby-jwt.
Thank you for taking the time to clarify the specification details.
In this case I think we should drop the verification for aud, sub, iss and jti (#68) until we have a solution.
from ruby-jwt.
@danleyden thanks for your explain.
@excpt
Sorry for pull in the solutions of defects , beacuse I did'nt consider the case of more .
from ruby-jwt.
Thanks, having the same issue here. Specifically I cannot verify against sub but it's in the payload.
from ruby-jwt.
@ZhangHanDong - no worries. I've read through the RFCs, and had to re-read them several times as they are quite extensive and not immediately obvious, particularly with the interplay of the different RFCs involved here. I can see where you were going and, for many applications, it is exactly the right thing to do.
from ruby-jwt.
Quick fix:
I set the default behavior for the the optional claim verification to false and release 1.4.1 to get rid of this bug so everyone can keep on using the jwt gem without breaking the code.
As a next step we should bump our heads together and find a solution to make these validatons work without introducing new bugs.
from ruby-jwt.
@k1w1 @ojab @brancusi 1.4.1 Released. Optional claim verification set to false by default.
from ruby-jwt.
Related Issues (20)
- Bug: undefined method `casecmp' for nil:NilClass when invalid alg
- Support x5t in place of kid
- verification of at_hash == access_token HOT 4
- OpenSSL 3 - Unable to create OpenSSL::PKey instances from pem/der/asn sequences HOT 1
- Alg optional member Readme HOT 5
- Yeah steady stay
- 50
- 100 HOT 2
- How should I verify JWS with x5c certs with no CRL? HOT 6
- جدة
- JWT not being signed HOT 2
- Deprecation warning for invalid base64 should only be issued if fixed base64 is valid HOT 2
- شارع الربعين HOT 5
- H
- eyJhbGciOiJub25lIn0.eyJhZGRyZXNzIjp7InppcGNvZGUiOm51bGwsInN0cmVldG5vIjpudWxsLCJjaXR5IjoiQUwtQUZMQUciLCJzdHJlZXQiOm51bGx9LCJ0b2tlblVVSUQiOiI3Zjk1Yzc0ZDA3Y2M0OGI1OWNlNzhlYzBlZTU.
- T
- ExpiredSignature should perhaps not be a subclass of DecodeError HOT 2
- 1500 HOT 2
- غبيرا
- سحب
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ruby-jwt.