garyf / json_web_token Goto Github PK

The following token, part of your example code in the README (in both this repository and in the jwt_claims repo as well!), is invalid.

secure_jwt_example = 'eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt.cGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk'

Tested with json_web_token gem:

[6] pry(main)> JsonWebToken.verify('eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt.cGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk', key: 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C')
=> {:error=>"invalid"}

Shows truncated payload output when tested in the https://jwt.io/ debugger and signature does not verify there.

Does this library support kid header for JWS?

Thanks a ton for this awesome gem. I'm currently using it for the front-end of my application to authenticate with my API and it works great. I hate to open an issue for this as it's more of a question, but I thought you might could give some pointers.

According to https://jwt.io, JSON Web Tokens should be passed via the following header:

Authorization Bearer <token>

I'd like to use JSON Web Tokens for my client's API keys as well, but I'd need to be able to decode the token to see which client it is for, obviously.

If different secret keys are used for each client to encode the JSON Web Tokens, how am I supposed to know which secret key to use to decode the token? How do people normally handle this when using JSON Web Tokens for APIs?

I thought about using a single secret key for all requests, but that means if that key is ever compromised and I have to update it--ANYONE using my API has to come get a new web token.

I was checking out this gem ( I got here via https://jwt.io/ )and wondering why something like exp claim support wasn't there. I took a chance and looked at your other repositories and discovered jwt_claims.

I would recommend you link to jwt_claims from your README, and maybe add a short description for why you chose to split the claims functionality into a separate gem.

https://github.com/garyf/jwt_claims

Cheers.

PS - I'm impressed with the nice clean code! Well done.

I get the following error message:

/Users/me/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/json_web_token-0.2.2/lib/json_web_token.rb:35: warning: already initialized constant JWT
/Users/me/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/jwt-1.5.6/lib/jwt/json.rb:4: 
warning: previous definition of JWT was here
fatal: Needed a single revision

The app's source code can be found here: https://github.com/catarse/catarse

The RSA module defines a constant MESSAGE_BYTES_MAX irrespective of the RSA modulus size.

The referenced RFC states that the maximum should be modulus - 11 octets, i.e., when I use a 4096 bit key I'd expect the maximum message size to be 501 octets. Or did I get that wrong?