using crit option to require payload #51

vrseraphin · 2019-10-17T02:35:35Z

vrseraphin
Oct 17, 2019

Describe the bug

JWT.verify fails with errors indicating critical claims are missing even when the claim names are passed within the crit attribute of the options object. These claims are indeed there in the "payload". The library at present seems to be looking for these only within the header portion.

The specific issue is within jwsVerify and the call into the validateCrit
josetest2.zip

To Reproduce

Steps to reproduce the behaviour:

Expected behaviour
A clear and concise description of what you expected to happen.
I expect the JWT to be successfully validated with the identified critical claims are within the payload rather than the header.

Environment:

jose version: [e.g. v1.0.0]
node version: [e.g. v12.0.0]

Additional context
Add any other context about the problem here.

[x ] the bug is happening on latest jose too.
i have searched the issues tracker on github for similar issues and couldn't find anything related.

panva · 2019-10-17T05:05:21Z

panva
Oct 17, 2019
Maintainer

@vrseraphin the crit option is for specifications extending how a payload is being processed through requiring JOSE Header fields and its attached change of processing. Such an extension is the b64 header from rfc7797

Also the docs are clear on this

crit: string[] Array of Critical Header Parameter names to recognize.

Its use is limited to acknowledging an extension may be used in a given context, it is not intended for requiring certain claims to be present in the payload - as a matter of fact

Its value is an array listing the Header Parameter names present in the JOSE Header that use those extensions. If any of the listed extension Header Parameters are not understood and supported by the recipient, then the JWS is invalid. Producers MUST NOT include Header Parameter names defined by this specification or [JWA] for use with JWS, duplicate names, or names that do not occur as Header Parameter names within the JOSE Header in the "crit" list.

In other words you’re not using neither the crit header parameter not the option right.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

using crit option to require payload #51

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Uh oh!

using crit option to require payload #51

Uh oh!

vrseraphin Oct 17, 2019

Replies: 1 comment

Uh oh!

Uh oh!

panva Oct 17, 2019 Maintainer

vrseraphin
Oct 17, 2019

panva
Oct 17, 2019
Maintainer