jwt icon indicating copy to clipboard operation
jwt copied to clipboard
verified publisher icon lcobucci

Default header 'typ' breaking Apple JWT requests

Open colinferm opened this issue 1 year ago • 4 comments

In namespace Lcobucci\JWT\Token\Builder:23, there is the line:

private array $headers = ['typ' => 'JWT', 'alg' => null];

The header typ => JWT is breaking requests with Apple JWT requests (such as APNS or Apple Books API requests).

Can you either (a) make Builder non-final so it can be subclassed and this variable can be easily overwritten or (b) can you remove this header from the default array?

colinferm avatar Aug 19 '24 08:08 colinferm

Hi, do you mind sharing the conflicting Apple JWTs as well as the code you use to handle those JWTs with this library?

Slamdunk avatar Aug 19 '24 08:08 Slamdunk

Have you tried ->withHeader('typ', 'something-else')? It is overwritten that way, AFAIK

https://github.com/lcobucci/jwt/blob/5494ca9d06db2e2b606ab0c8587af2572dca2310/src/Token/Builder.php#L70-L76

Ocramius avatar Aug 19 '24 08:08 Ocramius

Yeah. Apple doesn't like the header type at all. It's dumb but it's Apple.

colinferm avatar Aug 19 '24 09:08 colinferm

We had other people using this library and successfully integrating with Apple (though I don't know details).

Do you have links to their documentation stating that they expect the header not to be defined? Can it be a bug in their end instead?

Nevertheless, this library favours explicity. That means ensuring that downstream has an object that is a JWT (not some other types defined by the RFC group).

At this point, I don't see a reason for changing the implementation. You may create your own builder and make the (temporary or not) modifications you require for your use case.

lcobucci avatar Aug 19 '24 11:08 lcobucci