current implementations of JWSVerifier doesn't allow having key id as a header parameter
current implementations of JWSVerifier only accept "alg", "typ" and "cty" header parameters. This doesn't allow having the "kid" header claim.
Comments (6)
-
-
Does this error message mean I'm running into this issue?
Missing JSON object member with key "mod"
-
Please disregard my comment. It looks like I had a couple of nimbus-jose-jwt jar files in my classpath (v2.3 and v2.10.1).
-
Ok, now I've made it to the verification step and am seeing the same issue. Do you have an updated estimate when it will be fixed?
-
- changed status to resolved
Fixed by commit a4fd2d0.
All reserved JWS header parameters, including kid are now accepted by default. To restrict the acceptable JWS algs or param names, or to allow custom parameters, do verifier.getJWSHeaderFilter() and call the appropriate setter methods.
Justin and I are working on adding JPSK support which should be complete this week and he'll then push an official release including this fix to Maven central.
-
Thank you very much. I entered
#30today after doing some more testing. - Log in to comment
Thank you for reporting this. It's a known issue and I'm aiming to fix it early next month. It looks like we overdid header parameter checking :)