Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(jwt) fix typ handling #4256

Merged
merged 1 commit into from
Feb 14, 2019
Merged

fix(jwt) fix typ handling #4256

merged 1 commit into from
Feb 14, 2019

Conversation

cdimascio
Copy link
Contributor

Summary

When using JOSE (Json Object Signature and Validation), Kong incorrectly returns:

{"message":"Bad token; invalid typ"}

After some investigation (see #4217), it appears that Kong explicitly rejects any typ not equal to JWT. This includes typ JOSE.

RFC 7519 section 5.1 states:

...This [typ] parameter is ignored by JWT implementations; any processing of this parameter is
performed by the JWT application....

Given the above statement, it appears that Kong should ignore the typ header. This PR does that.
Effectively, this change resolves the original invalid typ and is able to properly verify a JWT with typ JOSE.

Full changelog

  • [Implement ...]
  • [Add related tests]
  • ...

Issues resolved

Fix #4217

Ignore typ header as specifified by RFC7519 section 5.1, thus enabling support for other typ\'s including JOSE

Fix Kong#4217
@cdimascio
Copy link
Contributor Author

RFC7519 section 5.1 include below for convenience:

5.1. "typ" (Type) Header Parameter

The "typ" (type) Header Parameter defined by [JWS] and [JWE] is used
by JWT applications to declare the media type [IANA.MediaTypes] of
this complete JWT. This is intended for use by the JWT application
when values that are not JWTs could also be present in an application
data structure that can contain a JWT object; the application can use
this value to disambiguate among the different kinds of objects that
might be present. It will typically not be used by applications when
it is already known that the object is a JWT. This parameter is
ignored by JWT implementations; any processing of this parameter is
performed by the JWT application. If present, it is RECOMMENDED that
its value be "JWT" to indicate that this object is a JWT. While
media type names are not case sensitive, it is RECOMMENDED that "JWT"
always be spelled using uppercase characters for compatibility with
legacy implementations. Use of this Header Parameter is OPTIONAL.

Based on the above, perhaps, the correct behavior is to remove the check entirely. (updating the PR)

@cdimascio
Copy link
Contributor Author

Hello All,
Is there anything missing from this PR that is required for the review? I'm glad to help however I can.
Thanks for all that you do!

Copy link
Contributor

@hishamhm hishamhm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change looks coherent with the RFC indeed!

@hishamhm hishamhm merged commit cfa217e into Kong:master Feb 14, 2019
@hishamhm
Copy link
Contributor

@cdimascio Merged, thank you!

@hishamhm hishamhm added this to the 1.0.4 milestone Feb 14, 2019
@cdimascio
Copy link
Contributor Author

Thanks @hishamhm!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

JWT verification with Kong 1.0.0 fails when using RS256 public key JOSE - Bad token; invalid typ
2 participants