Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability to resolve signing key based on Jws embedded values before its signature is verified #8

Closed
josebarrueta opened this issue Nov 16, 2014 · 3 comments
Closed

Add ability to resolve signing key based on Jws embedded values before its signature is verified #8

josebarrueta opened this issue Nov 16, 2014 · 3 comments
Labels
enhancement
Milestone
0.4

Comments

@josebarrueta
Copy link
Contributor

Sometimes the signature key is embedded either in the JWT header or body, and therefore is useful to parse the JWT skipping the signature verification. Of course the verification must happen after getting the signature key.

If this is a valid approach the client is responsible of checking the signature after getting the values they need from the Jws.

A second approach would be to have a callback interface that if set will be called before the signature verification happens.

For example:

public interface JwsSignatureKeyResolver {
    Key resolveSignatureKey(JwsHeader header, Claims claims);
}

Probably can be call it if key is null and a implementation of the interface is specified when built a Jws Parser.
@lhazlewood
Copy link
Contributor

I wonder if the signing key could be resolved from some knowledge in the Claims...

The JWS spec states that a kid header param can be used to identify the key used to sign the request, so maybe that is all that is required.

However, I wonder if some business-specific logic related to Claims inspection could also be used, and potentially more efficient. For example, maybe based on data that is already in the claims payload, one could infer/know the signing key. If this is true, the kid property/value would not be necessary (thereby reducing the size of the JWS, which can be good for storage/transmission.

Thoughts?

@josebarrueta
Copy link
Contributor Author

Yeah, I was debating whether to include the Claims or not, latest version showed without the Claims, because I was thinking in using the kid header parameter only, but I do see benefits of allowing access to the Claims objects as well, so I will put it back in the interface.

Also, since the the SignatureAlgorithm is already determined and asserted to be a valid one, I'll change the signature of the interface to return the signingKey as a byte[] to take advantage of all the processing that the Parser already did.

Final version:

public interface JwsSigningKeyResolver {

    byte[] resolveSigningKey(JwsHeader header, Claims claims);

}

@josebarrueta josebarrueta changed the title Add ability to skip signature verification when parsing Jws Add ability to resolve signing key based on Jws embedded values before its signature is verified Nov 17, 2014
josebarrueta pushed a commit to josebarrueta/jjwt that referenced this issue Nov 17, 2014
Issue jwtk#8 Add ability to resolve signing key based on Jws embedded…
3eb4f01 
… values before its signature is verified
josebarrueta pushed a commit to josebarrueta/jjwt that referenced this issue Nov 18, 2014
Issue jwtk#8 Add unit test to the pull request.
e1be490
josebarrueta pushed a commit to josebarrueta/jjwt that referenced this issue Nov 19, 2014
Issue jwtk#8 Added ability to resolve signing keys with String payloa…
44965c7 
…d. Added SigningKeyResolverAdapter.
lhazlewood added a commit that referenced this issue Nov 20, 2014
@lhazlewood
Merge pull request #9 from josebarrueta/master
f596844 
Issue #8 Add ability to resolve signing key based on Jws embedded values...
@lhazlewood lhazlewood added this to the 0.4 milestone Nov 20, 2014
lhazlewood added a commit that referenced this issue Nov 20, 2014
@lhazlewood
#8: Updating readme in preparation for a 0.4 release
125acae
lhazlewood added a commit that referenced this issue Nov 20, 2014
@lhazlewood
#8: fixing Gradle block to be color coded
e9758ca
lhazlewood added a commit that referenced this issue Nov 20, 2014
@lhazlewood
#8: more doc updates
cd13de8
lhazlewood added a commit that referenced this issue Nov 20, 2014
@lhazlewood
#8: more doc updates
72db822
lhazlewood added a commit that referenced this issue Nov 20, 2014
@lhazlewood
#8: more doc updates
29d8a8a
@lhazlewood
Copy link
Contributor

Release notes updated and ready to go - closing this to release 0.4.

@nrktkt nrktkt mentioned this issue Nov 20, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
0.4
Development

No branches or pull requests
2 participants
@lhazlewood @josebarrueta