JWS returning OSEException: One or more header parameters not accepted by the JWS verifier when I add a custom non-registered parameter
I am using the JWS example on the wiki, which works fine. However, I would like to add a custom parameter, namely an expiration date. Here is the implemented code:
val sharedKey = "secret-shared-key" val fmt = DateTimeFormat.forPattern("yyyy-MM-dd HH:mm:SS")
def jwsToken(email: String): String = {
val payLoad = new Payload(email)
val header = new JWSHeader(JWSAlgorithm.HS256)
header.setContentType(MimeTypes.TEXT)
val expiryDate = new DateTime().plusDays(1)
header.setCustomParameter("expiry", fmt.print(expiryDate))
val jwsObject = new JWSObject(header, payLoad)
val jwsSigner = new MACSigner(sharedKey.getBytes())
jwsObject.sign(jwsSigner)
jwsObject.serialize()
}
def verifyJwsTokenA: Option[Boolean] = {
for {
auth <-request.headers.get(AUTHORIZATION)
} yield {
val token = auth.split(" ").last
val jwsObject = JWSObject.parse(token)
val jwsHeader = jwsObject.getHeader
val exp = jwsHeader.getCustomParameter("expiry").asInstanceOf[String]
if (fmt.parseDateTime(exp).isAfterNow) {
val verifier = new MACVerifier(sharedKey.getBytes())
jwsObject.verify(verifier)
} else false
}
}
I can't understand why the above code doesn't verify. Can someone please tell me what I am doing wrong?
Comments (6)
-
reporter -
reporter - marked as minor
-
Hi Craig,
The original intent of that was to reject messages with custom header params which the verifier doesn't know how to process. In your case you could extend the MACVerifier class to check the expiration timestamp and use that as an additional factor in deciding whether the JWS is valid or not.
Having said that, the JWS spec mentions that header params that are not understood must be ignored: http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-25#section-4
So the default behaviour should be to ignore such non-understood parameters. I'll open the issue and think about it.
Cheers,
Vladimir
-
- changed status to open
-
- changed status to resolved
I decided to remove header param filtering altogether, see commit 3c69ea9.
-
Hi Craig,
I pushed a new release out that includes the above fix, it should reach Maven Central by the end of the day. The version is 2.25. Enjoy! :)
- Log in to comment
Hey Vladimir,
I actually got this to work. Saw Issue
#66, which mentioned the same issue. I had to addval acceptedParams = jwsHeader.getIncludedParameters verifier.getJWSHeaderFilter.setAcceptedParameters(acceptedParams)
and then it worked. What's the philosophy behind rejecting all verifications with non-standard parameters?