You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a JWT-encoded claim set is handed to Nimbus, the claim set is decoded and then coerced into a chosen Java type for each claim. Specifically:
nbf, iat, and exp are mapped to java.util.Date
aud is mapped to java.util.List
Additionally, Nimbus allowed the temporal claims to be null, since the JWT spec allows for this.
Spring Security maps the above fields in the following way:
nbf, iat and exp are mapped to Long
iat and exp are given a default value
aud is mapped to java.util.List
With both libraries, all other claims are left as-is, including custom claims.
For now, the work to transform the Nimbus representation into the Spring Security representation of the claims set is embedded into NimbusJwtDecoderJwkSupport, though at least a couple of concerns are likely to surface again and again with other implementations of JwtDecoder:
The need to map a third-party library's representation of the temporal fields to Long
This issue affirms that both Nimbus and Auth0's implementation of the JWT spec coerce the temporal fields into java.util.Date. There are likely more libraries that do the same thing, which will require devs to duplicate code that transforms those Dates into Longs.
The need to give exp and iat default values
NimbusJwtDecoderJwkSupport today wants to give exp and iat default values. If Spring Security intends to enforce this opinion in other implementations (for consistency), then the code needs to not be embedded in the Nimbus-specific implementation.
Actual Behavior
Certain shared logic is currently embedded in NimbusJwtDecoderJwkSupport.
Expected Behavior
Said logic should be in a more generic location.
Version
5.1.0.BUILD-SNAPSHOT
The text was updated successfully, but these errors were encountered:
This introduces a hook for users to customize standard Jwt Claim
values in cases where the JWT issuer isn't spec compliant or where the
user needs to add or remove claims.
Fixes: spring-projectsgh-5223
This introduces a hook for users to customize standard Jwt Claim
values in cases where the JWT issuer isn't spec compliant or where the
user needs to add or remove claims.
Fixes: gh-5223
Uh oh!
There was an error while loading. Please reload this page.
Summary
When a JWT-encoded claim set is handed to Nimbus, the claim set is decoded and then coerced into a chosen Java type for each claim. Specifically:
nbf
,iat
, andexp
are mapped tojava.util.Date
aud
is mapped tojava.util.List
Additionally, Nimbus allowed the temporal claims to be null, since the JWT spec allows for this.
Spring Security maps the above fields in the following way:
nbf
,iat
andexp
are mapped toLong
iat
andexp
are given a default valueaud
is mapped tojava.util.List
With both libraries, all other claims are left as-is, including custom claims.
For now, the work to transform the Nimbus representation into the Spring Security representation of the claims set is embedded into
NimbusJwtDecoderJwkSupport
, though at least a couple of concerns are likely to surface again and again with other implementations ofJwtDecoder
:Long
This issue affirms that both Nimbus and Auth0's implementation of the JWT spec coerce the temporal fields into
java.util.Date
. There are likely more libraries that do the same thing, which will require devs to duplicate code that transforms thoseDate
s intoLong
s.exp
andiat
default valuesNimbusJwtDecoderJwkSupport
today wants to giveexp
andiat
default values. If Spring Security intends to enforce this opinion in other implementations (for consistency), then the code needs to not be embedded in the Nimbus-specific implementation.Actual Behavior
Certain shared logic is currently embedded in
NimbusJwtDecoderJwkSupport
.Expected Behavior
Said logic should be in a more generic location.
Version
5.1.0.BUILD-SNAPSHOT
The text was updated successfully, but these errors were encountered: