Open Bair95 opened 5 years ago
In spring-security-jwt submodule, Class JwtTests; This edited test should'nt pass as "foo" value is "bar:barbarbar". But only bar is parsed so the test is still passing. @Test public void inspectCustomHeaders() throws Exception { Map<String, String> headers = JwtHelper.headers( JwtHelper.encode(JOE_CLAIM_SEGMENT, hmac, Collections.singletonMap("foo", "bar:barbarbar")).getEncoded()); assertEquals("Wrong header: " + headers, "bar", headers.get("foo")); assertEquals("Wrong header: " + headers, "HS256", headers.get("alg")); assertEquals("Wrong header: " + headers, "JWT", headers.get("typ")); }
I'm not sure why the module is commented in the pom, nor why I can't find any dedicated repository for spring-security-jwt.
the error comes from JwtHelper.parseMapInternal, this line is responsible of the bad parsing: String[] values = pair.split(":"); I can't see any reason why a JSON parser is manually reimplemented here instead of using a battle tested library (GSON,Json, you name it) that would prevent this kind of obvious and avoidable bug.
Summary
When receiving an Oauth2 JWT token and parsing the additionalIformations (idToken), JwtHelper.header(idToken) fail to parse fields containing ":".
Actual Behavior
The field "kid" containing "public:uuid-number-random" is parsed and the resulting value is only "public".
Expected Behavior
The resulting value should be "public:uuid-number-random"
Configuration
Java 8 Linux Manjaro
Version
Spring-security-jwt 1.0.9.RELEASE Spring-security-jwt 1.0.10.RELEASE
Sample
Test Example JWtHelper from spring-security vs nimbusd jwt
}