Expose JWT serialization/deserialization primitives

frasertweedale / hs-jose

Haskell JOSE and JWT library

http://hackage.haskell.org/package/jose

Apache License 2.0

122 stars 46 forks source link

Expose JWT serialization/deserialization primitives #85

Closed domenkozar closed 4 years ago

domenkozar commented 4 years ago

Sometimes it's useful to just extract JSON out of JWT when you don't have private key to verify.

Currently all JWT constructions are hidden, so it makes it hard.

frasertweedale commented 4 years ago

Thanks for the report @domenkozar.

It's a deliberate decision of the library not to provide access to unverified data. Of course, you can always decode it yourself. It's extra work, but it should be; libraries should not make it easy for people to take shortcuts with security.

domenkozar commented 4 years ago

Security has a threat model. In our case we know JWT is generated securely so there's no need to verify it.

But the client (who doesn't have private key to verify) uses information from JWT.

frasertweedale commented 4 years ago

OK, well the client can decode the unverified JWT and read it themselves. Some of the instances available in the library may help with that (e.g. there is instance FromJSON ClaimsSet). But the shortcut you desire, it violates security principals of this library and will not be implemented.