JWTClaimsSet does not preserve claims ordering
Here’s the sample code:
public static void main(String[] args) {
final JWTClaimsSet claims = new JWTClaimsSet.Builder()
.claim("b", "b")
.claim("c", "c")
.claim("a", "a")
.build();
System.out.println(claims); // prints {"a":"a","b":"b","c":"c"}
}
I know normally the field ordering doesn't matter, but in our use case, we are serializing our signed JWTs with detached payload and manually constructing the payload on the verifying side. So right now, in order to preserve the field ordering, I'm using the JWSSigner
interface directly and manually constructing the parts.
I think the cause of this issue is the JSON library. net.minidev.json.JSONObject
implements HashMap
instead of LinkedHashMap
. And I see JWTClaimsSet
already uses a LinkedHashMap
under the hood to preserve field ordering I presume, but the serializing part uses the JSON library that breaks the field ordering.
Comments (6)
-
-
reporter Unfortunately the only fix I can think of is use another JSON library that preserves field ordering. I don’t think that’s a “simple” fix and I don’t know if including another JSON library is acceptable.
-
reporter Actually, I think I've found a simple solution. Instead of using
SignedJWT
, I'm now usingJWSObject
where the constructor takes aPayload
that allows me to do my own serialization. -
- marked as proposal
bug → proposal
-
- changed status to wontfix
Claims ordering can be preserved via the
Payload
class which can be used to extract the raw JSON. -
reporter Thanks. That’s exactly what I did.
- Log in to comment
Hi,
If you’ve already examined how the serialization happens and if you think there is a simple fix, would you submit a PR?