setHeader should have an overload that accepts a String array
Issue #2
resolved
The JWT spec says that the aud claim can be an array of strings/URIs in the case where the token has multiple intended audiences, or it can be a single string/URI if it only has one. It also says that the issuer can include the aud claim in the header; however, the setHeader method doesn't allow for the setting of an array, only a single string. So, it doesn't seem possible to implement the spec in this way.
If I'm interpreting things right, it seems that the setHeader method should be overloaded to accept a String array.
Comments (4)
-
repo owner
-
reporter
Agree that it's probably only needed in a JWE for the reasons you mention. ATM, I'm trying to build a convenience layer on top of jose4j, so I don't have a particular use case in mind. So, maybe, JWE needs an overloaded setHeader that takes an array string and that can use the setEncodedHeader that's exposed on the JWX to set it. That way JWS doesn't get it which may be confusing even if legit.
-
repo owner
So actually, I just looked again and you can do this now using setObjectHeaderValue(..) on Headers and giving it a List for a value.
Might look something like this:
JsonWebEncryption jwe = new JsonWebEncryption(); jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.DIRECT); jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256); OctetSequenceJsonWebKey jsonWebKey = OctJwkGenerator.generateJwk(256); jwe.setKey(jsonWebKey.getKey()); jwe.setPlaintext("some text"); jwe.setHeader(ReservedClaimNames.ISSUER, "me"); jwe.getHeaders().setObjectHeaderValue(ReservedClaimNames.AUDIENCE, Arrays.asList("you", "them")); System.out.println(jwe.getCompactSerialization()); System.out.println(jwe.getHeaders().getFullHeaderAsJsonString()); -
reporter
- changed status to resolved
Perfect. That example is just what I needed. Thanks!
- Log in to comment
I agree that a setHeader method that accepts a String array is probably something that's needed to allow for a multiple audience claim in the header. I'll add something.
But I'm a little curious about your use case. The canonical use of audience is in the payload of the JWE/JWS. The allowance for some claims to show up as headers too - http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-12#section-5.3 - was mostly intended for JWEs where those claims would help in pre-encryption processing like maybe figuring out which key to use. So while needing multiple audiences in the header is legal, it seems like it'd be an edge case to me. What are you trying to do?