lua-resty-jwt icon indicating copy to clipboard operation
lua-resty-jwt copied to clipboard
verified publisher icon SkyLothar

Validate header claims

Open edjiang opened this issue 9 years ago • 5 comments

I'd like to be able to validate header claims with my claim spec as well -- this could look like:

local claimSpec = {
  header = {
    alg = validators.equals('HS256'),
    kid = validators.equals('MyKeyID'),
    custom = validators.equals('other')
  },
  payload = {
    exp = validators.required(validators.opt_is_not_expired()),
  }
}

edjiang avatar Jul 15 '16 18:07 edjiang

Good idea! I definitely will do this!

SkyLothar avatar Jul 16 '16 14:07 SkyLothar

Awesome! By the way, I think it's considered best practice to pin the signing algorithm when verifying a JWT. Otherwise:

  • An attacker can change alg: none in the header, and a insecure JWT library would validate the JWT
  • An attacker can use the public key of an asymmetric JWT, and sign a JWT using alg: HS256 or something symmetric and an insecure JWT library would validate the JWT

Not sure how it would look like in this library, but something to look into alongside this improvement.

edjiang avatar Jul 16 '16 16:07 edjiang

  • We didn't implement the none algorithm.
  • You can use set_alg_whitelist function to pin one or some signing algorithms.

SkyLothar avatar Jul 17 '16 04:07 SkyLothar

Awesome, didn't realize that. Thanks!

edjiang avatar Jul 30 '16 18:07 edjiang

Is it possible to validate the sub in the payload of the JWT ?

usernamecopied12 avatar Mar 30 '18 09:03 usernamecopied12