JWTClaimsSet does not preserve claims ordering
Issue #326
wontfix
Here’s the sample code:
public static void main(String[] args) {
final JWTClaimsSet claims = new JWTClaimsSet.Builder()
.claim("b", "b")
.claim("c", "c")
.claim("a", "a")
.build();
System.out.println(claims); // prints {"a":"a","b":"b","c":"c"}
}
I know normally the field ordering doesn't matter, but in our use case, we are serializing our signed JWTs with detached payload and manually constructing the payload on the verifying side. So right now, in order to preserve the field ordering, I'm using the JWSSigner interface directly and manually constructing the parts.
I think the cause of this issue is the JSON library. net.minidev.json.JSONObject implements HashMap instead of LinkedHashMap. And I see JWTClaimsSet already uses a LinkedHashMap under the hood to preserve field ordering I presume, but the serializing part uses the JSON library that breaks the field ordering.
Comments (6)
-
-
reporter
Unfortunately the only fix I can think of is use another JSON library that preserves field ordering. I don’t think that’s a “simple” fix and I don’t know if including another JSON library is acceptable.
-
reporter
Actually, I think I've found a simple solution. Instead of using
SignedJWT, I'm now usingJWSObjectwhere the constructor takes aPayloadthat allows me to do my own serialization. -
- marked as proposal
bug → proposal
-
- changed status to wontfix
Claims ordering can be preserved via the
Payloadclass which can be used to extract the raw JSON. -
reporter
Thanks. That’s exactly what I did.
- Log in to comment
Hi,
If you’ve already examined how the serialization happens and if you think there is a simple fix, would you submit a PR?