jjwt icon indicating copy to clipboard operation
jjwt copied to clipboard

Published 20 hours ago verified publisher icon jwtk

JWT with JSON body seen as plaintext JWT

Open maximedn opened this issue 3 years ago • 3 comments

Hi,

We are facing a this behavior when using the latest release of jjwt (0.9.1):

When parsing the claims of a token that has a JSON body using Jwts.parser().[...].parseClaimsJws(token), the token is seen as a plaintext JWT. Here is what the token contains:

Header:

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "iss": "XXX",
  "scope": "XXX",
  "onBehalfOf": "",
  "aud": " ",
  "locale": "",
  "iat": 1636109922773,
  "exp": 1636110522773,
  "jti": "ID"
}

Apparently, the token payload contains an extra \r\n at the end, which makes it interpreted as a plaintext jwt, see this line: https://github.com/jwtk/jjwt/blob/3e6c9e978ccb0eccf5ff83cfb04b052043839d4f/impl/src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java#L333

Is it a normal behavior ? Should the JWT be seen as plaintext when it doesn't end exactly with } ?

Thank you !

maximedn avatar Nov 05 '21 12:11 maximedn

Hi Maxime!

Out of curiosity, what made you believe 0.9.1 was the latest JJWT release? It's actually 0.11.2 (at the time I'm writing this) per https://github.com/jwtk/jjwt#install

That said, I'm not sure that 0.11.2 will solve your problem.

Compact JWT bodies can represent both plaintext as well as JSON, so we have to use heuristics (the line you quoted) to do our best to try and figure out if it might be JSON or not. Based on this issue, we need to update our code to ignore any whitespace before or after the first and last { and } characters respectively. (Or potentially even just try to parse the string no matter what, and if not valid JSON, fall back to a String or byte array).

And while we need to do that, I do have to say:

The entire point of compact JWTs is to save space: whatever library that produced your JWT should not be using whitespace anywhere in the JSON structure (other than in JSON member names and values themselves as necessary) - it should be as flat and minimal as possible with no extra whitespace anywhere as that only defeats the purpose of the notion of 'compact'. Could you reach out to whoever produced that JWT to see if they can fix it on their end as well?

lhazlewood avatar Nov 05 '21 18:11 lhazlewood

Hi @lhazlewood,

I just found out that a JWT body created by JJWT (+compact) will have a leading whitespace character (\n).

// Edit: It was JSON-B on OpenLiberty. They need an extra "sstrip()" call.

bmarwell avatar Apr 14 '22 10:04 bmarwell

This issue has been automatically marked as stale due to inactivity for 60 or more days. It will be closed in 7 days if no further activity occurs.

stale[bot] avatar Jul 10 '22 18:07 stale[bot]

This was resolved via 760c542a0b60b4c6f34c909bf4ede05ca588fbc7 by https://github.com/jwtk/jjwt/blob/a6792d938fd89b96fb38d22268962cfb8e742552/impl/src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java#L509-L517 and https://github.com/jwtk/jjwt/blob/a6792d938fd89b96fb38d22268962cfb8e742552/impl/src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java#L230C11-L230C11

lhazlewood avatar Sep 06 '23 01:09 lhazlewood