-
Notifications
You must be signed in to change notification settings - Fork 374
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggest passing block to JWT.decode for claim verification #110
Comments
I've also looked at how JWT libraries in other languages such as Perl support claim verification. The Perl library supports passing a regular expression or callback function, but the callback function only receives the specific claim value as argument which doesn't solve our original problem. The json_web_token Ruby gem simply returns a hash of all claims and lets the application figure things out from there. Clean and simple. An alternative API closer to the current options style would be to have a separate callback closure for each claim and pass the (rest of the) payload (or claims as I prefer to name them) as an optional second argument to a proc. This would replace the flag-and-expected-value-in-options-hash by a single proc for claim verification. Example: JWT.decode(token, 'my-jwt-secret', true, {
verify_jti: proc { |jti,claims| valid_token?(claims) }, # with extra claims argument
verify_aud: proc { |aud| 'app' == aud } # without claims argument
}) Now it seems strange to pass both a specific claim and all claims (optionally) to the callback proc. Why not have a single JWT.decode(token, 'my-jwt-secret', true, {
verify: lambda { |claims|
valid_token?(claims) && 'app' == claims['aud']
} # can use lambda; no optional arguments
}) |
+1 for this, awkward |
Block passed to That has a significant issue, it is just passed the header, not the payload. So it can't find key based on the payload. I'd propose passing procs/lambdas/objects that respond to call instead of passing blocks. My use case is multi-tenant key verification and decoding like https://auth0.com/blog/2015/03/10/blacklist-json-web-token-api-keys/ describes in detail. JWT.decode('some-token',
key: ->(token) { KeyStore.find(token.payload['aud'] },
verify: ->(token) { KeyStore.verify_revocation(token) }
) To sum it up:
|
@mikz +1 Great proposal with a fitting use case. |
@mikz sounds good to me +1 |
The current method for verifying the JTI field in the token payload is only useful when the JTI value to compare against is known a priori (when making the call to
JWT.decode
).Summary: Using a block parameter or callback on
JWT.decode
to verify claims (passing the decoded payload/claims) would be more flexible and nicer API IMHOWhen the JTI value is dependent on information in the token payload (for example a user object found using a user_id field in the payload), then we can't pass the expected JTI value in the options hash to
JWT.decode
. In this case we don't know the expected value until after the token has been decoded. The same goes for comparing a JTI value to a blacklist.The usefulness of the options
{verify_jti: true, jti: 'expected-value'}
passed toJWT.decode
is limited. Maybe the same goes foriss
,aud
andsub
.May I suggest an alternative API for verification of
jti
,iss
,aud
andsub
which is to pass an (anonymous) block toJWT.decode
for verification. Thepayload
would be passed as parameters to the block. When the block returns falsey, thenJWT.decode
would raise aJWT::VerificationError
.For example: Given the following verification function ...
... with the current API I have to do:
... With a verification block this would become:
The current verfication of the
exp
,nbf
andiat
claims is unambiguous so it can be handled inJWT.decode
with the current flag-and-expected-value-in-options-hash method. But I would prefer the block method to be the only method to verfiy claims. Special 'build-in' methods could be used for verification ofexp
,nbf
andiat
claims.This method doesn't require a separate flags to indicate which claims to verify.
Sorry this has gotten a bit long. I hope I explained well.
The text was updated successfully, but these errors were encountered: