Adding crit headers in JWTs makes the signature failed
Issue #304
invalid
Hello!
It's more a question in regards to your signature verifier:
I was troubleshooting why suddenly my JWTs are detected as invalid. I finally found the issue and this is due to line:
if (! critPolicy.headerPasses(header)) {
return false;
}
I am not sure to understand why having 'crit' headers makes automatically the signature invalid?
Thanks!
Comments (3)
-
-
reporter
Perfect, thanks Vladimir. Really helpful.
I was thinking: Would it not be nice if the verify signature returns an exception like InvalidToken and returns as a message the root cause of the issue?
The error returns to the end user would be more explicit.
-
- changed status to invalid
Packing extra info why the validation failed is a good idea.
https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/306/
We could do that with exceptions. However, their performance to handle control flow like situations (invalid signature) is bad. Especially if the software needs to process a lot of tokens, and many of them can be invalid. This was addressed with caching them in the JWT processor, but that also has issues (we have a ticket for that).
- Log in to comment
JOSE has this notion of critical JWS / JWE headers, which if not understood by the recipient should cause sig validation / decryption to fail.
If you have critical headers that the application knows how to handle - list their names using the com.nimbusds.jose.crypto.RSASSAVerifier#RSASSAVerifier(java.security.interfaces.RSAPublicKey, java.util.Set<java.lang.String>) constructor.
If you have critical headers that act as inputs to the signature validation, override the RSASSAVerifier to take care of that.
https://tools.ietf.org/html/rfc7515#section-4.1.11