search

nov / json-jwt

JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and JSON Web Key) in Ruby
MIT License
299 stars 80 forks source link

Support JWS Payloads that are not JSON #91

Closed radamson closed 3 years ago

radamson commented 3 years ago

Thanks for all the hard work on this project!

Currently json-jwt appears to only support JWS payloads which are valid JSON objects and trying to decode a JWS with a payload that is not a valid JSON object throws an exception.

e.g.

token = "eyJ6a..." # Truncated for readability. Encoded payload is not a valid JSON Obect.

decoded_token   = decoded_token = JSON::JWT.decode token, :skip_verification

Throws json-jwt-1.13.0/lib/json/jose.rb:68:in rescue in decode': Invalid JSON Format (JSON::JWT::InvalidFormat). This exception seems to be thrown when rescuing a JSON::ParserError which originates here:

https://github.com/nov/json-jwt/blob/a2b4c1599ef7c3604e214c46eadec9bfdb6e41a5/lib/json/jws.rb#L187

The JWS RFC defines the JWS Payload as:

The sequence of octets to be secured -- a.k.a. the message. The payload can contain an arbitrary sequence of octets.

and the example in Section 3.3 says that

(Note that the payload can be any content and need not be a representation of a JSON object.)

Any thoughts on this or the feasibility of supporting JWS payloads of any type?

andreydanil commented 3 years ago

Any updates on this?

nov commented 3 years ago

I don't have any plans to support this pattern now.