Comments (3)
TL;DR The new way is more secure (and spec compliant).
If you are interested in bypassing the security mechanisms of a JWT, see this post, though I'd recommend against parsing a JWT you are not able to validate
from jjwt.
We had a use case of performing unsecured JWT parsing.
I don't know if your use case is similar to those discussed in other tickets, but I've addressed some of them in other replies that you might find useful:
and
TLDR; if you need information in a JWS after its initial signature verification and use case (e.g. authenticating an HTTP request), create a new JWT that contains what you need for access later, with appropriate exp
times if/as necessary. This new JWT can be unsecured (not recommended) or secured with a key specific to the server/application so it may be verified unmodified later as needed.
Is there any update in JWT RFC to enforce such checks for unsecured JWTs?
Surprisingly, yes. JJWT's original implementation of this logic was created years ago, before the RFCs were finalized (they were very nearly finalized, in draft status, when JJWT was created). Before the RFC was finalized, they added this:
https://datatracker.ietf.org/doc/html/rfc7518#section-8.5
Given the other backwards-incompatible changes slated for 0.12.0, it was also a good time to introduce this other change to represent the (finalized) RFC. Consequently, having a signature algorithm other than none
, but not having a signature in the token indicates that the JWS was either malformed or unsafely manipulated, so the JWT library needs to indicate the token is invalid.
Hopefully that helps!
P.S. thank you for such a detailed and well-written issue, we really do appreciate it.
from jjwt.
For what it's worth, the code below will achieve your expected behavior, but it's really, really not a good idea. Because of its security implications, it will never be added to JJWT, but for those who live dangerously:
KeyPair keyPair = Jwts.SIG.ES256.keyPair().build();
final String jws = Jwts.builder().subject("Alice").signWith(keyPair.getPrivate()).compact();
// HERE BE DRAGONS. Thou art forewarned:
int i = jws.indexOf('.');
String b64UrlHeader = jws.substring(0, i);
String b64UrlPayload = jws.substring(i + 1, jws.lastIndexOf('.'));
ObjectMapper om = new ObjectMapper();
Map headerMap = om.readValue(Decoders.BASE64URL.decode(b64UrlHeader), Map.class);
headerMap.put("alg", "none");
b64UrlHeader = Encoders.BASE64URL.encode(om.writeValueAsBytes(headerMap));
String unsecured = b64UrlHeader + '.' + b64UrlPayload + '.';
Jwt<Header, Claims> unsafe = Jwts.parser().unsecured().build().parseUnsecuredClaims(unsecured);
from jjwt.
Related Issues (20)
- package jjwt is not resolved HOT 4
- Locator for Key has no access to JWT claims (issuer) HOT 1
- Error building JWT with non-string audience claim type HOT 4
- A single audience value gets converted into a set with one entry HOT 1
- Disable Jackson ObjectMapper FAIL_ON_UNKNOWN_PROPERTIES Deserialization Feature HOT 1
- Unable to extract claims when cty specified in JWS header (>0.12.0) HOT 19
- Question: How far is version 1.0 (due to breaking changes in 0.12)?
- NIST Elliptic Curve JWK field element octet string padding HOT 1
- Allow parsing signed JWTs without the key HOT 1
- Impossible to build a JWK with `alg: HS512` and a `k` that is larger than 64 bytes HOT 2
- Make JacksonDeserializer constructor public
- Unable to access jcaName from Jwts.SIG HOT 2
- Jwts.builder - audience cannot be add without calling add() HOT 5
- Consider a convenience method to obtain a `Jwk` from a `JwkSet` by Key ID HOT 4
- NoSuchMethodError when using libraries built against older jjwt version HOT 2
- Unable to verify Elliptic Curve signature using configured ECPublicKey. Invalid encoding for signature HOT 2
- CVE reported against 0.11.5 HOT 5
- CVE-2024-31033 (v0.12.5) HOT 2
- java.lang.IllegalArgumentException: Invalid Map 'iv' (Initialization Vector) value: 1230868678. Values must be either String or [B instances. Value type found: java.math.BigInteger. HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jjwt.