1. connect2id Avatar connect2id
  2. Crypto
  3. Nimbus-JOSE-JWT
  4. Issues

JWS returning OSEException: One or more header parameters not accepted by the JWS verifier when I add a custom non-registered parameter

Issue #86 resolved
Craig Pottinger created an issue

I am using the JWS example on the wiki, which works fine. However, I would like to add a custom parameter, namely an expiration date. Here is the implemented code:

val sharedKey = "secret-shared-key" val fmt = DateTimeFormat.forPattern("yyyy-MM-dd HH:mm:SS")

def jwsToken(email: String): String = { val payLoad = new Payload(email) val header = new JWSHeader(JWSAlgorithm.HS256) header.setContentType(MimeTypes.TEXT)
val expiryDate = new DateTime().plusDays(1) header.setCustomParameter("expiry", fmt.print(expiryDate)) val jwsObject = new JWSObject(header, payLoad) val jwsSigner = new MACSigner(sharedKey.getBytes()) jwsObject.sign(jwsSigner) jwsObject.serialize() }

def verifyJwsTokenA: Option[Boolean] = { for { auth <-request.headers.get(AUTHORIZATION) } yield { val token = auth.split(" ").last val jwsObject = JWSObject.parse(token) val jwsHeader = jwsObject.getHeader val exp = jwsHeader.getCustomParameter("expiry").asInstanceOf[String]
if (fmt.parseDateTime(exp).isAfterNow) { val verifier = new MACVerifier(sharedKey.getBytes()) jwsObject.verify(verifier) } else false } }

I can't understand why the above code doesn't verify. Can someone please tell me what I am doing wrong?

Comments (6)

  1. Craig Pottinger reporter

    Hey Vladimir,

    I actually got this to work. Saw Issue #66, which mentioned the same issue. I had to add

    val acceptedParams = jwsHeader.getIncludedParameters verifier.getJWSHeaderFilter.setAcceptedParameters(acceptedParams)

    and then it worked. What's the philosophy behind rejecting all verifications with non-standard parameters?

  3. Vladimir Dzhuvinov

    Hi Craig,

    The original intent of that was to reject messages with custom header params which the verifier doesn't know how to process. In your case you could extend the MACVerifier class to check the expiration timestamp and use that as an additional factor in deciding whether the JWS is valid or not.

    Having said that, the JWS spec mentions that header params that are not understood must be ignored: http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-25#section-4

    So the default behaviour should be to ignore such non-understood parameters. I'll open the issue and think about it.

    Cheers,

    Vladimir

  6. Vladimir Dzhuvinov

    Hi Craig,

    I pushed a new release out that includes the above fix, it should reach Maven Central by the end of the day. The version is 2.25. Enjoy! :)

  7. Log in to comment
Assignee
Type
task
Priority
minor
Status
resolved
Component
Milestone
Votes
0
Watchers
2
Jira: the preferred issue tracker for Bitbucket. Join the team!