Comments (4)
The previous getFamilyName()
was mostly an implementation detail that ideally shouldn't have been exposed to application developers.
The latest JJWT API doesn't need getFamilyName()
anywhere - i.e. it's not required by any of the JwtBuilder
or JwtParser
usage scenarios, so it doesn't (initially) make sense to add it to the public API. In other words, adding things to the public API that aren't used anywhere by the public API add implementation and long term maintenance burden on something that isn't used within JJWT's codebase.
Out of curiosity, what is the JWT use case where this is required?
from jjwt.
Out of curiosity, what is the JWT use case where this is required?
I have cases where my keys are stored as strings, and need to produce instances of Key
by the algorithm:
String key = "some key retrieved by 'kid'";
SignatureAlgorithm algorithm = SignatureAlgorithm.forName(header.getAlgorithm());
if (algorithm.isHmac()) {
// Hmac key
return Keys.hmacShaKeyFor(Base64.getEncoder().encode(key.getBytes()));
} else {
// Public/Private key pair
return KeyFactory.getInstance(algorithm.getFamilyName()).generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(key.getBytes())));
}
If there's another workaround for that it'd help as well, that is constructing a Key
from a string based on the expected algorithm.
from jjwt.
Ah, I see now. Because key material can be used for different algorithms, and in cryptographic contexts, you rarely want to use a key across different cryptographic operations (i.e. you ideally shouldn't use a signature key for encryption and vice versa), usually the key type/algorithms/purpose is serialized/represented with the key material. This allows deserialization to ensure that the key is represented and used for its intended purpose.
Additionally, the code shown above is a security risk: one should not rely on the incoming JWT to 'tell' you what your serialized key should be used for - a malicious JWT can indicate a different algorithm, and the code could blindly create the key based on what the JWT says instead of what the serialized key is actually intended for.
Ideally your keys, when stored as strings, should also store the keys' algorithm and allowed usages, and ensure that the key is being used as you intend it, not what the JWT indicates.
One potential solution is you could concatenate this information with your key string before saving. Then, when reading the key, construct the key based on the concatenated information.
Another (better?) solution is to represent your key(s) as JWKs, which are just JSON strings at the end of the day, because JWKs represent all of this information already: https://github.com/jwtk/jjwt#json-web-keys-jwks
But be careful of course: any private or secret JWK still represents sensitive information, so those String(s) should be encrypted before stored (e.g. in a database or on disk).
from jjwt.
Since there hasn't been follow-up on this for the last few weeks, I'm closing it since it doesn't appear that this needs to be a change in the JJWT codebase. Happy to discuss further if you feel otherwise!
from jjwt.
Related Issues (20)
- Typo in changelog HOT 1
- java.lang.NoSuchMethodError: org.json.JSONTokener.<init>(Ljava/io/Reader;)V HOT 15
- package jjwt is not resolved HOT 4
- Locator for Key has no access to JWT claims (issuer) HOT 1
- Error building JWT with non-string audience claim type HOT 4
- A single audience value gets converted into a set with one entry HOT 1
- Disable Jackson ObjectMapper FAIL_ON_UNKNOWN_PROPERTIES Deserialization Feature HOT 1
- Unable to extract claims when cty specified in JWS header (>0.12.0) HOT 19
- Question: How far is version 1.0 (due to breaking changes in 0.12)?
- NIST Elliptic Curve JWK field element octet string padding HOT 1
- Allow parsing signed JWTs without the key HOT 1
- Impossible to build a JWK with `alg: HS512` and a `k` that is larger than 64 bytes HOT 2
- Make JacksonDeserializer constructor public
- Unable to access jcaName from Jwts.SIG HOT 2
- Jwts.builder - audience cannot be add without calling add() HOT 5
- Consider a convenience method to obtain a `Jwk` from a `JwkSet` by Key ID HOT 4
- Deprecation of support for unsecured JWT token parsing with algo != 'none' HOT 3
- NoSuchMethodError when using libraries built against older jjwt version HOT 2
- Unable to verify Elliptic Curve signature using configured ECPublicKey. Invalid encoding for signature HOT 2
- CVE reported against 0.11.5 HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jjwt.