search

uruk-project / Jwt

JSON Web Token implementation for .Net & .Net Core
MIT License
81 stars 13 forks source link

Some Errors on Validation BinaryPayloadJwt #504

Closed orangeagain closed 3 years ago

orangeagain commented 3 years ago

`static void Main() { var signatureKey = SymmetricJwk.FromBase64Url("R9MyWaEoyiMYViVWo8Fk4TUGWiSoaW6U1nOqXri8_XU"); var encryptionKey = new SymmetricJwk("R9MyWaEoyiMYViVWo8Fk4T"); var payload = new byte[] { 76, 105, 102, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32, 112, 114, 111, 115, 112, 101, 114, 46 }; var descriptor = new BinaryJweDescriptor(payload) { EncryptionKey = encryptionKey, EncryptionAlgorithm = EncryptionAlgorithm.Aes128CbcHmacSha256, Algorithm = KeyManagementAlgorithm.Aes128KW };

        var writer = new JwtWriter();
        var token = writer.WriteTokenString(descriptor);

        Console.WriteLine("The JWT is:");
        Console.WriteLine(descriptor);
        Console.WriteLine("payload:"+Encoding.UTF8.GetString(payload));
        Console.WriteLine("Its compact form is:");
        Console.WriteLine(token);

        var policy = new TokenValidationPolicyBuilder()
                       .RequireSignature(signatureKey, SignatureAlgorithm.HmacSha256)
                       .RequireAudience("636C69656E745F6964")//this is not exist in payload,why result still succed?
                       .RequireIssuer("https://idp.example.com/")//this is not exist in payload,why result still succed?
                       .Build();

        var reader = new JwtReader(encryptionKey);
        var result = reader.TryReadToken(token, policy);
        if (result.Succedeed)
        {
            Console.WriteLine("Decypt token is " + result.Token.Payload.ToString());//payload should be a byteArray,why here is null?
        }
        else
        {
            Console.WriteLine("Failed to read the token. Reason: " + Environment.NewLine + result.Status);
        }
    }`

some not reasonable. If throw a byteArray or string Payload, that will be good.

ycrumeyrolle commented 3 years ago

This is right. There is an issue when the JWE token is encrypted, does not contains a JWS but there is requirement designed for JWS like the signature, audience, lifetime or issuer validation.

Bugfix in progress. When a requirement is added to the validation policy, the token is not considered as valid anymore as it is not possible to validate.