Different ClaimSet is produced depending on JDK version
Issue #121
resolved
Because CustomClaimSets are a HashMap depending on the Java version the API is running the customclaim sets are iterated in a different way which makes that the token is invalid.
For example in case of Claim sets generated with Java8:
JWTClaimsSet [iss=null, sub=alex, aud=null, exp=Tue Feb 01 00:00:00 CET 2050, nbf=null, iat=null, jti=null, customClaims={ip=192.168.0.1, SSLID=111111111, user-agent=Mozilla}]
And same code with Java7: JWTClaimsSet [iss=null, sub=alex, aud=null, exp=Tue Feb 01 00:00:00 CET 2050, nbf=null, iat=null, jti=null, customClaims={user-agent=Mozilla, SSLID=111111111, ip=192.168.0.1}]
Note that because they are iterated in different way depending on java version, and this makes (I think) impossible to share same token between services that are running in different JVM. For this reason I think that instead of using a HashMap for customclaims a LinkedHashMap should be used.
I can provide a PR if you want.
Comments (8)
-
-
reporter
No problem, working on this, by the way have you noticed that there are 24 Errors when running the tests? I have just cloned the project and I did a mvn clean install.
-
-
reporter
Last thing before implementation. Do you expect some kind of portability between different jwt implementations? For example if we set that attributes are serialized depending on the inserted order (LinkedHashMap) then this is something that developers must be aware because the "other" implementation should implement it as well in this way and also provide the information on the order of the insertion of each attribute but if you don't have in mind this requirement then it is ok.
On the other side if you think that this interoperability can be good then I think that (SortedMap) would be better because although you need to provide this information to the "other" caller at least only saying that must be in alphabetical order would be enough because you don't need to provide the order of insertion.
-
The order should not matter according to the spec as the claims are converted to Base 64 before signing. So linked hash map should be fine.
-
- changed status to resolved
fixes issue
#121by instantiating LinkedHashMap instead of hashMap to have predictable iteration order. Also updates profile to run tests in JDK8.→ <<cset a8c40dfe48e4>>
-
Merged in asotobu/nimbus-jose-jwt (pull request #17)
fixes issue
#121by instantiating LinkedHashMap instead of hashMap to have predictable iteration order. Also updates profile to run tests in JDK8.→ <<cset 8b8e490df10d>>
-
We just pushed the change as v3.10 out to Maven Central.
Cheers!
- Log in to comment
Thanks for spotting this!
A pull request will be greatly appreciated as we've got our hands full at the moment. Alongside some tests, if possible :)