connect2id / Nimbus-JOSE-JWT / issues / #9 - current implementations of JWSVerifier doesn't allow having key id as a header parameter — Bitbucket

Issue #9 resolved

Former user created an issue 2013-01-28

current implementations of JWSVerifier only accept "alg", "typ" and "cty" header parameters. This doesn't allow having the "kid" header claim.

Comments (6)

Vladimir Dzhuvinov
Thank you for reporting this. It's a known issue and I'm aiming to fix it early next month. It looks like we overdid header parameter checking :)
- 2013-01-30T07:59:30+00:00
Jason Reicheneker
Does this error message mean I'm running into this issue?

Missing JSON object member with key "mod"
- 2013-03-18T00:10:13+00:00
Jason Reicheneker
Please disregard my comment. It looks like I had a couple of nimbus-jose-jwt jar files in my classpath (v2.3 and v2.10.1).
- 2013-03-18T15:09:13+00:00
Jason Reicheneker
Ok, now I've made it to the verification step and am seeing the same issue. Do you have an updated estimate when it will be fixed?
- 2013-03-18T19:31:15+00:00
Vladimir Dzhuvinov
- changed status to resolved
Fixed by commit a4fd2d0.

All reserved JWS header parameters, including kid are now accepted by default. To restrict the acceptable JWS algs or param names, or to allow custom parameters, do verifier.getJWSHeaderFilter() and call the appropriate setter methods.

Justin and I are working on adding JPSK support which should be complete this week and he'll then push an official release including this fix to Maven central.
- 2013-03-20T07:32:10+00:00
Jason Reicheneker
Thank you very much. I entered ~~#30~~ today after doing some more testing.
- 2013-03-20T21:52:07+00:00
Log in to comment

Assignee: –

Type: enhancement

Priority: major

Status: resolved

Component: –

Milestone: –

Votes: 0

Watchers: 1

Jira Software: the preferred issue tracker for Bitbucket. Join the team!