- changed status to open
Header fields with null values causing exception
Issue #258
resolved
One of our IdP is sending back a token with {"cty": null} in the header and we are getting an exception.
We also included following example to reproduce the case.
According to the rfc 7515 the cty header is optional, unfortunately it does not specify if it is nillable. We noticed that other validation libraries are more lenient in these cases and ignore headers with null values as if they are not send.
We would like to propose that Nimbus is also more lenient in the case of optional headers with null values.
String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImN0eSI6bnVsbH0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.KW0Fxg7Jz0L_-TQCZR6FnRL4rqCmguU11CuDM23C38U";
JWTParser.parse(token);
Exception in thread "main" java.text.ParseException: Invalid JWS header: JSON object member with key "cty" has null value at com.nimbusds.jose.JWSObject.<init>(JWSObject.java:133) at com.nimbusds.jwt.SignedJWT.<init>(SignedJWT.java:59) at com.nimbusds.jwt.SignedJWT.parse(SignedJWT.java:95) at com.nimbusds.jwt.JWTParser.parse(JWTParser.java:60) at Main.main(Main.java:13)
Comments (3)
-
-
- changed status to resolved
This issue was related to the Nimbus JOSE+JWT dependency.
Please update to
https://search.maven.org/artifact/com.nimbusds/nimbus-jose-jwt/6.3/jar
-
Awesome, thanks!
- Log in to comment
Thanks for the report, that's good to know and fix!