connect2id / Nimbus-JOSE-JWT / issues / #58 - Make "none" a valid JWS alg type — Bitbucket

Issue #58 wontfix

William Kim created an issue 2013-08-19

http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section-3.6

Current behavior throws a ParseException when "alg" is set to "none" in the JWS Header.

Relevant points in the code:

https://bitbucket.org/nimbusds/nimbus-jose-jwt/src/ca58ff0ece35243aa6546583dffcd236dcea26d2/src/main/java/com/nimbusds/jose/Header.java?at=master#cl-263

and

https://bitbucket.org/nimbusds/nimbus-jose-jwt/src/ca58ff0ece35243aa6546583dffcd236dcea26d2/src/main/java/com/nimbusds/jose/JWSHeader.java?at=master#cl-183

Comments (3)

Vladimir Dzhuvinov
- changed status to wontfix
Unprotected JOSE objects are represented by the PlainObject / PlainHeader classes. The class structure of the library was designed specifically to provide a clear distinction between plain and true JWS objects.

If you want to parse a JOSE header which type you don't know in advance use the Header.parse method. You can then do an instanceof check on the result (PlainHeader / JWSHeader / JWEHeader).

Tomorrow I'll look if we could add a convenience method to parse headers from JSON strings and /or Base64URL strings (that would be a different issue).

Cheers, Vladimir
- 2013-08-19T20:34:11+00:00
William Kim reporter
Thank you for explaining that :)
- 2013-08-19T21:19:52+00:00
Vladimir Dzhuvinov
Just pushed out a new release (2.18) to Maven central, it updates the library to the latest JOSE - 14/ JWT -11 drafts and also adds a two helper methods to parse headers of any type:

Header.parse(String) Header.parse(Base64URL)

Should reach Maven Central by the end of the day.

Enjoy :)
- 2013-08-20T12:38:11+00:00
Log in to comment

Assignee: –

Type: bug

Priority: major

Status: wontfix

Component: –

Milestone: –

Votes: 0

Watchers: 2

Jira: the preferred issue tracker for Bitbucket. Join the team!