search

decentralized-identity / JWS-Test-Suite

JsonWebSignature2020 Test Suite
https://identity.foundation/JWS-Test-Suite
Apache License 2.0
9 stars 11 forks source link

Transmute credential 0 jwt representation has an empty subject property #54

Open decentralgabe opened 2 years ago

decentralgabe commented 2 years ago

https://github.com/decentralized-identity/JWS-Test-Suite/blob/main/data/implementations/transmute/credential-0--key-0-ed25519.vc-jwt.json#L2

"sub": {}, is present in the decoded JWT

The widely used go library for JWX breaks on the empty property which it claims is invalid.

The JWT RFC shows

The "sub" value is a case-sensitive string containing a StringOrURI value. Use of this claim is OPTIONAL.

Notably, the spruce impl does not include this property.

I'm curious if it's something that should be supported (and a bug with the lib), or if it is really invalid.

OR13 commented 2 years ago

Lets check after https://github.com/decentralized-identity/JWS-Test-Suite/actions/runs/2017273429 we still need to fix on our side.

OR13 commented 2 years ago

We are still tracking support for a fix for this here: https://github.com/transmute-industries/verifiable-data/issues/123

bumblefudge commented 2 years ago

@OR13 the action has run and is now a green dot!

clehner commented 2 years ago

Since #57 changed credential-0's credentialSubject to contain a foo property instead of being empty, the JWT payload referenced here now does not contain "sub": {} but instead contains "sub":{"foo":"bar"}. e.g. in the following. https://github.com/decentralized-identity/JWS-Test-Suite/blob/8be234d31ea631d634e672defb1fa67ca501e402/implementations/transmute/credential-0--key-0-ed25519.vc-jwt.json Edit: I updated https://github.com/transmute-industries/verifiable-data/issues/123#issue-1055180322 to reflect this.

PhilippGackstatter commented 1 year ago

@OR13 Can you clarify if this is an error? As quoted in the initial post on this issue, RFC 7519 states:

The "sub" value is a case-sensitive string containing a StringOrURI value. Use of this claim is OPTIONAL.

which lead us to also error on "sub": {} in our implementation. Now the question is whether the test vector is incorrect. Since the transmute implementation is authoritative according to the README, it'd be good to clarify this.

On a related note, the test vector also encodes nbf as 1609529004 while the issuanceDate on credential-0.json is "2022-03-19T15:20:55Z", which is 1647703255 as a unix timestamp.

OR13 commented 1 year ago

v2 of the data model says that is invalid.

I am not planning to port any fixes related to v1.1... I think its not worth implementing.

I am planning to only implement / maintain support for vc-jwt 2.0

see this spec:

https://github.com/w3c/vc-jwt

We started this test suite:

https://github.com/transmute-industries/vc-jwt-test-suite

Plan is to get the VCWG to adopt it... its based on the work we did in this repo... which we don't plan to maintain at this point.