Closed ecthiender closed 4 years ago
Thank you for the report. It is not a bug; this is the required behaviour. Per https://tools.ietf.org/html/rfc7519#section-4.1.3:
In the general case, the "aud" value is an array of case-
sensitive strings, each containing a StringOrURI value. In the
special case when the JWT has one audience, the "aud" value MAY be a
single case-sensitive string containing a StringOrURI value.
and https://tools.ietf.org/html/rfc7519#section-2:
StringOrURI
A JSON string value, with the additional requirement that while
arbitrary string values MAY be used, any value containing a ":"
character MUST be a URI [RFC3986]. StringOrURI values are
compared as case-sensitive strings with no transformations or
canonicalizations applied.
The "aud" value contains a colon, and is not a URI. Therefore it must be rejected.
@frasertweedale thanks for the pointer :+1: . Also do you think the error message can be improved? I'll be happy to submit a PR if you think that's the case.
@ecthiender yeah the message can probably be improved; it will have to be done in the instance FromJSON Audience
because of the silly "if there's only one it can be just the string" special case.
The docs (https://hackage.haskell.org/package/jose-0.8.0.0/docs/Crypto-JWT.html#t:StringOrURI) says using the
IsString
instance with a:
in a string will fail, if it's not a URI.But is it applicable for
FromJSON
instance as well?When I use the following JSON payload and try to decode it as a
ClaimsSet
:Results in:
Expected
I was expecting this to parse successfully, as I am using the
FromJSON
instance. Am I doing something wrong?