Thanks for the package, it works great. The only problem for me is that I'm using R as a client and I don't have the secret key available. I know I can parse the payload data on my own. I just wonder if you could add a decoding function to be used on the client?

I use this client-side angular https://github.com/auth0/angular2-jwt just for reference.

Thanks and let me know what you think.

Patrik

I'd like to use the openid-configuration/jwks.json url approach to verify a token, but this requires first determining the unverified claims on the token. It looks like the jwt_split function could be used to do this, but it would also need to return the header (for the kid). Would you be willing to export this function and add the header to the return values?

Another approach could be to create jwt.get_unverified_header and jwt.get_unverified_claims functions similar to Python's jose package.

We want to encode this structure with jwt_claim() in order to embed a Metabase question in a Shiny application:

{
  "resource": {"question": 4},
  "params": {}, # empty but required
  "exp": 123456789 # current time + 10 minutes

Metabase requires the params key to be present at the top level even if the value is empty. However, line 28 of R/claim.R appears to throw away any empty substructures at the top level of the claim, and on the receiving end after decryption the params key is missing. Our workaround is:

params <- list()
names(params) <- character(0)
claim <- structure(list(exp = unbox(expiry), resource = list(question = unbox(1)), params = params),
                   class = c("jwt_claim", "list"))
token <- jwt_encode_hmac(claim, secret = METABASE_SECRET_KEY)

(We have to contruct params this way rather than simply using a list because jsonlite converts list() without names to [] rather than {}). Can jwt_claim() take an optional argument specifying that empty structures are to be retained?

Add decoding tests using jwt's from another source like http://kjur.github.io/jsjws/tool_jwt.html

Github Apps use jwt for authentication.

I am getting the error when the jwt_decode_sig function calls the signature_verify function. Any ideas on where to look at first?

If I copy the jwt_split code and pass the sig through it, it works fine and I can get all of the information out of the JWT signature. However, when I use the jwt_decode_sig function directly, it fails with the error, even though the public key is valid, and I assume the sig is valid.

At the moment typ=JWT is hardcoded in jwt_encode_sig

As part of the Solid OIDC specification, I need to be able to use typ=dpop+jwt
https://solid.github.io/solid-oidc/primer/#authorization-code-pkce-flow-step-13

Would there be an objection to allowing typ to be overridden by header, i.e. using modifyList instead of c?

to_json(modifyList(list( 
   typ = "JWT", 
   alg = paste0("ES", size) 
 ), header)) 

I've checked that this would be the only change required to allow jose to be used in implementing Solid OIDC:
https://gist.github.com/josephguillaume/41eed73967e0cf2ff4714b38be55dcfc

Happy to put in the (trivial) PR.

Hallo,

Would it be possible that you choose one of the canonical licences for this package?

Best,
Sebastian

Hi
I think it would be helpful if we could supply an url instead of a file.
What do you think?
Cheers

The master branch of this repository will soon be renamed to main, as part of a coordinated change across several GitHub organizations (including, but not limited to: tidyverse, r-lib, tidymodels, and sol-eng). We anticipate this will happen by the end of September 2021.

That will be preceded by a release of the usethis package, which will gain some functionality around detecting and adapting to a renamed default branch. There will also be a blog post at the time of this master --> main change.

The purpose of this issue is to:

• Help us firm up the list of targetted repositories
• Make sure all maintainers are aware of what's coming
• Give us an issue to close when the job is done
• Give us a place to put advice for collaborators re: how to adapt

message id: euphoric_snowdog

Currently, jwt_split exports only type and keysize as headers. In some situations additional headers are transmitted and required. One example is the kid header when using Google's OpenID Connect. Is there any functionality to parse to the headers? Otherwise, I would propose to export all headers as a sublist of jwt_split.

See https://datatracker.ietf.org/doc/draft-ietf-jose-cfrg-curves/. We can use the sodium package to implement curve25591 and ed25591.

The grace period for token validation is currently hard-coded to 60 seconds, see here:

Would it be possible to make this configurable? It would help to test the token expiration functionality.