Comments (8)
Hi @claq2 ,
sorry about that. Would you mind providing minimal test code to show issue?
from jose-jwt.
I can give you a recreate scenario because you can't easily write a unit test for this:
- Create a DLL that has a public call that calls into one of the 2.2 JWT methods that had an optional parameter added in 2.3, like Encode.
- Create another bit of code, like an exe, that calls the public method in step 1. Add the reference to the step 1 DLL as a DLL reference, not a project reference.
- Without recompiling the code in step 1, upgrade to jose-jwt 2.3 and try running the code in step 2.
That's how I found this. I was using a NuGet library called IdentityModel.Owin.PopAuthentication that calls JWT.Payload(System.String). When I upgraded my project to jose-jwt 2.3, it could no longer find a Payload method that takes only 1 parameter that is a string. Step 1 above simulates IdentityModel.Owin.PopAuthentication and step 2 simulates my app.
I suggest removing the optional parameters and adding overloads for the methods to restore compatibility, e.g.
public static string Payload(string token)
{
return Payload(token, null);
}
public static string Payload(string token, JwtSettings settings)
{
byte[][] parts = Compact.Parse(token);
if(parts.Length > 3)
{
throw new JoseException(
"Getting payload for encrypted tokens is not supported. Please use Jose.JWT.Decode() method instead.");
}
return Encoding.UTF8.GetString(parts[1]);
}
I might have some time to do this myself and submit a pull request, but if you'd rather keep the optional parameters and move the version to 3.0, then I won't try.
from jose-jwt.
Thanks @claq2 , i'll play around to reproduce.
You specifically complaining about Payload
method only? Other methods had optional parameters before.
Also as far as i can see IdentityModel.Owin.PopAuthentication depends on v1.9.1. Why do you want to update jose-jwt dependency without upgrading IdentityModel.Owin.PopAuthentication first?
from jose-jwt.
I think Payload is the only one that IdentityModel.Owin.PopAuthentication uses. From a semantic versioning perspective, any change in the existing public calls of a library should bump the major version. All of the JWT and other public methods should look the same at they did in 2.0. If they've had optional parameters added since then, that's a breaking change. New overloads are non-breaking.
There is no update for IdentityModel.Owin.PopAuthentication available. It just happened that it worked with jose-jwt 2.2. By semver rules, it should then work with any 2.x version.
from jose-jwt.
Ok, so you basically talking about binary compatibility
where you can swap .dll without recompiling everything else?
I've never thought about binary compatibility, only trying to preserve source compatibility
where you can recompile your project without changes to API calls.
On the other hand i don't mind if we can restore status quo here, i'll try to reproduce and see if it's possible to release 2.3.1 which brings binary compatibility back (probably just restore oldPayload
method?).
from jose-jwt.
It's not just the Payload method. Any public method that has changed since 2.0 needs to be adjusted, and anything that's been changed after 2.0 until now.
I'm going to try myself, too.
from jose-jwt.
I tried to make 2 calls out of every call in JWT by removing the options settings values, but then the compiler doesn't know which call to use. E.g. if you have
public string Foo(string input)
and
public string Foo(string input, string input2 = null)
then this call is ambiguous:
Foo("blah");
If I make the settings value mandatory, then it must move to be before all of the optional parameters, which breaks both binary and source compatibility. So, there's no way to restore binary compatibility.
Perhaps the right approach is to add a disclaimer that the library does not maintain binary compatibility. Or declare a 3.0 version on the next change in the API and then maintain both compatibilities.
I'll close this because there's no way to get both compatibilities with the current code.
from jose-jwt.
Thanks for input.
Still want to play with it myself. Probably make sense to start incorporating something like http://apichange.codeplex.com/ to get some tooling help?
from jose-jwt.
Related Issues (20)
- Issue when encrypt using RSA_OAEP_256 and A256GCM HOT 5
- EcdhKeyManagement alg expects key to be of CngKey or Jwk types with kty='EC HOT 11
- A128CBC+HS256 support in parity with Java's Nimbus JOSE + JWT HOT 3
- Remove legacy dependency `System.Security.Cryptography.Algorithms` for `netstandard2.1` target HOT 1
- Kinda weird code in the library HOT 2
- Play Integrity Exception "org.jose4j.lang.IntegrityException: A256KW key unwrap/decrypt failed" HOT 8
- JWT.Encode works fine on local machine in .NET7.0 Windows 11 , on windows server 2012 throw exception: Unable to sign content., inner exception: The requested operation is not supported.| HOT 4
- Get Public key from File HOT 10
- Decode throws when a nested property of an encoded model is a System.Decimal with one or more decimal places (e.g., 24.00m) HOT 2
- Windows Cryptography Next Generation (CNG) is not supported on this platform. HOT 5
- JWT Token Header HOT 1
- Is lib still supported? HOT 11
- Jose.JoseException: Unable to sign content. HOT 2
- JWE Decrypt not working for RSA algorithm HOT 9
- Susceptible to sign/encrypt confusion attack HOT 3
- Further exploitation about sign/encrypt attack HOT 6
- BCryptDecrypt error! HOT 5
- nimbus-jose-jwt change from JSON Smart to GSon upgrade has breaking changes on serialization and desrialization for jsonObject HOT 3
- Version 5: decryption of compressed token throws exception but works in 4.1 HOT 2
- Need adding support for RSA_OAEP_512 support in encryption HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jose-jwt.