Skip to content

JWT Claims Mapping #5223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jzheaux opened this issue Apr 9, 2018 · 0 comments
Closed

JWT Claims Mapping #5223

jzheaux opened this issue Apr 9, 2018 · 0 comments
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Milestone
5.1.0.RC2

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Apr 9, 2018
edited
Loading

Summary

When a JWT-encoded claim set is handed to Nimbus, the claim set is decoded and then coerced into a chosen Java type for each claim. Specifically:

  • nbf, iat, and exp are mapped to java.util.Date
  • aud is mapped to java.util.List

Additionally, Nimbus allowed the temporal claims to be null, since the JWT spec allows for this.

Spring Security maps the above fields in the following way:

  • nbf, iat and exp are mapped to Long
  • iat and exp are given a default value
  • aud is mapped to java.util.List

With both libraries, all other claims are left as-is, including custom claims.

For now, the work to transform the Nimbus representation into the Spring Security representation of the claims set is embedded into NimbusJwtDecoderJwkSupport, though at least a couple of concerns are likely to surface again and again with other implementations of JwtDecoder:

  1. The need to map a third-party library's representation of the temporal fields to Long

This issue affirms that both Nimbus and Auth0's implementation of the JWT spec coerce the temporal fields into java.util.Date. There are likely more libraries that do the same thing, which will require devs to duplicate code that transforms those Dates into Longs.

  1. The need to give exp and iat default values

NimbusJwtDecoderJwkSupport today wants to give exp and iat default values. If Spring Security intends to enforce this opinion in other implementations (for consistency), then the code needs to not be embedded in the Nimbus-specific implementation.

Actual Behavior

Certain shared logic is currently embedded in NimbusJwtDecoderJwkSupport.

Expected Behavior

Said logic should be in a more generic location.

Version

5.1.0.BUILD-SNAPSHOT
@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) JWT-JOSE labels Apr 9, 2018
@jzheaux jzheaux mentioned this issue Aug 16, 2018
Closed
@jzheaux jzheaux added this to the 5.1.0.RC2 milestone Aug 21, 2018
@jzheaux jzheaux self-assigned this Aug 28, 2018
@jzheaux jzheaux mentioned this issue Aug 28, 2018
Merged
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 6, 2018
@jzheaux
Jwt Claim Mapping
1acdbbe 
This introduces a hook for users to customize standard Jwt Claim
values in cases where the JWT issuer isn't spec compliant or where the
user needs to add or remove claims.

Fixes: spring-projectsgh-5223
rwinch pushed a commit that referenced this issue Sep 7, 2018
@jzheaux @rwinch
Jwt Claim Mapping
9e0f171 
This introduces a hook for users to customize standard Jwt Claim
values in cases where the JWT issuer isn't spec compliant or where the
user needs to add or remove claims.

Fixes: gh-5223
@jzheaux jzheaux mentioned this issue Oct 23, 2018
Closed
@jgrandja jgrandja mentioned this issue Apr 28, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Projects
None yet
Milestone
5.1.0.RC2
Development

No branches or pull requests
1 participant
@jzheaux