tymondesigns / jwt-auth

🔐 JSON Web Token Authentication for Laravel & Lumen
https://jwt-auth.com
MIT License
11.3k stars 1.54k forks source link

issues with cross domain validation #1230

Open techabu opened 7 years ago

techabu commented 7 years ago

Hi,

I am working on SSO between two application with different domains. Application1 is in Domain1 and Application2 is in Domain2. When the user log in to Application1 and access Application2, jwt is generated from the Application1 server and passed on to an api that is in Application2 to authenticate and access the Application2. When jwt is generated in Application1, the iss is set to https://domain1.com in the jwt key. When I validate the jwt token with Jwt::payload($token) I'm getting Token Signature could not be verified. error in NamshiAdapter.php line 71. When I manually generate the token without iss parameter and pass on to the same API it is working fine. In this point of time, the iss is https://domain2.com. My question is why iss is validated to be domain2.com where the token is decoded. How to fix this?

techabu commented 7 years ago

Hi,

I fixed the issue. In the iss parameter the value was https://domain1.com which gets escaped when converted to json string in json_encode in generateSigninInput() function of JWT class. I changed the code to $this->encoder->encode(json_encode($this->getPayload(), JSON_UNESCAPED_SLASHES));

Is there any better way to do this. I tried extending the class without making any modification to the package but, I'm not able since, it is deep linked.