search

google / jwt_verify_lib

Provide c++ library to verify JWT tokens
Apache License 2.0
42 stars 43 forks source link

Too strict JSON decode in JWT #63

Closed h0x91b closed 3 years ago

h0x91b commented 3 years ago

Hi,

Spent a lot of time finding out that JSON with the same attributes twice or more will throw an error JwtPayloadParseErrorBadJson

In my case, sub was twice in JWT token.

Decoding of such JSON 

{
  "sub": "ba4c8db6-ec65-483a-8436-691dcd311a2c",
  "someotherattribute": 123,
  "sub": "user@mail.com"
}

will return an error here: https://github.com/google/jwt_verify_lib/blob/master/src/jwt.cc#L98-L100

Most tools like jwt.io, JSON.parse, jq and more will just produce an object with {"sub":"user@mail.com","someotherattribute":123} e.g. sub will be just last value

I don't think that is so critical error for throwing exceptions.

qiwzhang commented 3 years ago

Our current implementation is using protobuf JSON parsing code, and convert JSON to proto::Struct. It is using a map<string, proto::Struct>. If you have two identical keys, it will not know how to handle it.

For speed, and security, we decided to go with protobuf JSON parser. In order to support your case, we may have to switch to a new JSON parser. It will not be a easy decision.

For now, there is nothing we can do.