-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add jwt as a property of JwtExceptions #148
Comments
Is this still desired? Looking to contribute and this feature seems like a decent way to get my feet wet in here. |
Hi @mooseburgr - thanks for checking in! It is potentially - but there are a lot of changes happening right now in the JWE branch as that is our highest priority. Also a new validation framework may obviate the need for this particular approach - still working on that. So I'd ask to hold off on this in the meantime while we work on those two things - I wouldn't want to introduce more changes/change conflicts as the burden currently is pretty high. My hope is to have this stuff wrapped up in a few weeks as this is my highest coding priority at the moment. |
Sure, makes sense. It definitely looks like a lot going on there! Outsider looking in, but let me know if there's any grunt work I could help with. |
Hello, We are running into the same issue while attempting to parse claims from an expired token. We need a way to ignore that a token has expired, and allow other exceptions to be thrown. This assists to ensure that a token is from the correct originator, and allows us to use it, along with other validation information, to refresh for that user. Thanks for all of the hard work on this. |
I just realized that I may have left my comment in the wrong issue. I am currently implementing the OpenID Connect RP-Initiated Logout 1.0 specification for an OpenID Connect Provider and have exactly the same requirement as @runnermann while parsing the
|
One way you could do this is to catch an JwtParser jwtParser = Jwts.parserBuilder()
.setSigningKey(...)
.setClock( () -> Instance.now().plus(<days>).toDate())
.requireIssuer("https://issuer.example.com")
.build();
// ...
jwtParser.parse(jwtString)
The downside is you parse the token twice. And trusting the data in an expired token does come with risk. |
@bdemers Hmmm, interesting workaround 🤔 I could also manually base64url decode the body, read the |
@hertg you are spot on, my suggestion would not work because of the nbf claim. |
@bdemers thanks for the idea, I think I'll go ahead with something like that. final String body = jwtString.split("\\.")[1];
final String jsonString = new String(Base64.getUrlDecoder().decode(body), StandardCharsets.UTF_8);
final JsonNode json = Json.parse(jsonString);
final long seconds = json.get("iat").asLong();
JwtParser parser = Jwts.parserBuilder()
.requireIssuer(...)
.setSigningKeyResolver(...)
.setClock(new FixedClock(Date.from(Instant.ofEpochSecond(seconds))))
.build();
|
With the merge of the #113 that allows for custom |
When you try to parse the claims of a JWT, even when it fails validation, there may be instances where you would want to still read the claims.
Talking with @lhazlewood today, we came up with the following idea: adding the parsed JWT as a property of JwtException, so you could so something like:
This would solve the #86 use case.
The text was updated successfully, but these errors were encountered: