I just started using this library but really like it so far. The simplicity, combined with the "native" feel when using Scala, as well as the integration with Play's Json data types make for a really pleasant combination. One thing I noticed, however, is that the Hmac Sha algorithms don't seem to be named appropriately. I believe the standard is for these to be named with the convention of "HSxxx", but instead this library refers to them as "HmacSHAxxx". This results in InvalidHeader returns when trying to parse out a valid JWT token from serialized/string form.
Unless I am mistaken or unless there are several accepted ways to parse these values, this result doesn't look like it should be the case.
I noticed this when trying to verify tokens which have been issued by the Auth0 service (which also offers token delegation for Firebase, so I would assume that both of these services utilize the "HSxxx" naming convention). I also found the following references which seem to support this convention:
The HSxxx naming convention is also present in almost every other example of JWT usage I've seen. Am I missing something regarding why this library refers to Hmac "alg" values in the format of "HmacSHAxxx"?
I would have submitted a pull request for this change, but my use case only utilizes the parsing of tokens which makes it a bit harder for me to test the full scope of use-cases. But it does appear that the only thing that must be done is to simply change every string value within the package.scala source to read "HSxxx" instead of "HmacSHAxxx" (this is what I did with my own local copy of the sources, and it seems to have fixed all of my InvalidHeader issues).
Hello,
I just started using this library but really like it so far. The simplicity, combined with the "native" feel when using Scala, as well as the integration with Play's Json data types make for a really pleasant combination. One thing I noticed, however, is that the Hmac Sha algorithms don't seem to be named appropriately. I believe the standard is for these to be named with the convention of "HSxxx", but instead this library refers to them as "HmacSHAxxx". This results in InvalidHeader returns when trying to parse out a valid JWT token from serialized/string form.
Unless I am mistaken or unless there are several accepted ways to parse these values, this result doesn't look like it should be the case.
I noticed this when trying to verify tokens which have been issued by the Auth0 service (which also offers token delegation for Firebase, so I would assume that both of these services utilize the "HSxxx" naming convention). I also found the following references which seem to support this convention:
The HSxxx naming convention is also present in almost every other example of JWT usage I've seen. Am I missing something regarding why this library refers to Hmac "alg" values in the format of "HmacSHAxxx"?
I would have submitted a pull request for this change, but my use case only utilizes the parsing of tokens which makes it a bit harder for me to test the full scope of use-cases. But it does appear that the only thing that must be done is to simply change every string value within the package.scala source to read "HSxxx" instead of "HmacSHAxxx" (this is what I did with my own local copy of the sources, and it seems to have fixed all of my InvalidHeader issues).