jose-jwt icon indicating copy to clipboard operation
jose-jwt copied to clipboard

Published 20 hours ago verified publisher icon dvsekhvalnov

Option to entirely remove headers

Open dotnetchris opened this issue 9 years ago • 10 comments

I would like to remove the alg and typ headers since they expose internal security details unnecessarily. Either the messages match my configured algorithm or they don't. This also has a side benefit of a reduction in message size, which every byte counts when it comes to headers sent with every single mobile request.

dotnetchris avatar Jul 29 '16 05:07 dotnetchris

I am not arguing for or against the proposal but please note that RFC 7515 defines the alg header as mandatory in order for the JOSE object to be a valid JSON Web Signature. RFC 7516 does the same for JSON Web Encryption.

sandersaares avatar Jul 29 '16 05:07 sandersaares

@sandersaares Understandable it would be "non-conforming". Definitely something that would need to be opt in only.

dotnetchris avatar Jul 29 '16 05:07 dotnetchris

That's kind of puzzling me as well, if you remove alg header (which is mandatory by spec). It's probably not a jwt anymore?

How token consumer will guess the way to decode token?

dvsekhvalnov avatar Jul 29 '16 07:07 dvsekhvalnov

Just to comment on that old auth0 post:

  • jose-jwt was never vulnerable to that attack
  • per request it was added https://github.com/dvsekhvalnov/jose-jwt#strict-validation

dvsekhvalnov avatar Jul 29 '16 07:07 dvsekhvalnov

@dvsekhvalnov that #strict-validation jump link doesn't seem to go any where. I also don't see anything off hand on the history of README.md that would seem relevant

dotnetchris avatar Aug 09 '16 19:08 dotnetchris

Hey @dotnetchris , i'm sorry, somehow given doc section disappeared during juggling with branches.

Should all be restored now: https://github.com/dvsekhvalnov/jose-jwt#strict-validation

dvsekhvalnov avatar Aug 09 '16 20:08 dvsekhvalnov

So i'm circling back to this. It doesn't look like there's any way for me to generate a token from jose without the headers being added. It looks like i would have to duplicate the implementation of Encode and EncodeBytes to eliminate the forced inclusion of dictionary (alg header) & extraHeaders (typ header)

Then looking into the statement of If the received header doesn't match with the types that you have specified an exception will be thrown and the parsing will be stopped that does align with the terminology "strict validation" however that doesn't aid in telling Jose that i want to use this algorithm and that the header value should be ignored regardless of whether the alg header exists or not.

dotnetchris avatar Sep 22 '16 20:09 dotnetchris

Hi @dotnetchris ,

may be you can tell us what specific use-case you are trying to address?

dvsekhvalnov avatar Sep 23 '16 07:09 dvsekhvalnov

In my closed system (mobile app to api) i just want to eliminate the alg and typ headers, they add over head for no purpose and expose a minor bit of security information that doesn't need to be shared at all given i own both sides of the wire.

dotnetchris avatar Sep 26 '16 19:09 dotnetchris

@dotnetchris , well JWT is about interoperability. If you not seeking for interop (like you own all interacting parties) why do you need JWT at all? You can just encrypt/decrypt binary string with any suitable algorithm - it is several lines of code in any language/platform today.

dvsekhvalnov avatar Sep 27 '16 08:09 dvsekhvalnov