Skip to content

JWT Claims Mapping #5223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
jzheaux opened this issue Apr 9, 2018 · 0 comments
Closed

JWT Claims Mapping #5223

jzheaux opened this issue Apr 9, 2018 · 0 comments
Assignees
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Milestone

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Apr 9, 2018

Summary

When a JWT-encoded claim set is handed to Nimbus, the claim set is decoded and then coerced into a chosen Java type for each claim. Specifically:

  • nbf, iat, and exp are mapped to java.util.Date
  • aud is mapped to java.util.List

Additionally, Nimbus allowed the temporal claims to be null, since the JWT spec allows for this.

Spring Security maps the above fields in the following way:

  • nbf, iat and exp are mapped to Long
  • iat and exp are given a default value
  • aud is mapped to java.util.List

With both libraries, all other claims are left as-is, including custom claims.

For now, the work to transform the Nimbus representation into the Spring Security representation of the claims set is embedded into NimbusJwtDecoderJwkSupport, though at least a couple of concerns are likely to surface again and again with other implementations of JwtDecoder:

  1. The need to map a third-party library's representation of the temporal fields to Long

This issue affirms that both Nimbus and Auth0's implementation of the JWT spec coerce the temporal fields into java.util.Date. There are likely more libraries that do the same thing, which will require devs to duplicate code that transforms those Dates into Longs.

  1. The need to give exp and iat default values

NimbusJwtDecoderJwkSupport today wants to give exp and iat default values. If Spring Security intends to enforce this opinion in other implementations (for consistency), then the code needs to not be embedded in the Nimbus-specific implementation.

Actual Behavior

Certain shared logic is currently embedded in NimbusJwtDecoderJwkSupport.

Expected Behavior

Said logic should be in a more generic location.

Version

5.1.0.BUILD-SNAPSHOT

@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) JWT-JOSE labels Apr 9, 2018
@jzheaux jzheaux added this to the 5.1.0.RC2 milestone Aug 21, 2018
@jzheaux jzheaux self-assigned this Aug 28, 2018
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 6, 2018
This introduces a hook for users to customize standard Jwt Claim
values in cases where the JWT issuer isn't spec compliant or where the
user needs to add or remove claims.

Fixes: spring-projectsgh-5223
rwinch pushed a commit that referenced this issue Sep 7, 2018
This introduces a hook for users to customize standard Jwt Claim
values in cases where the JWT issuer isn't spec compliant or where the
user needs to add or remove claims.

Fixes: gh-5223
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Projects
None yet
Development

No branches or pull requests

1 participant