search

yourkarma / JWT

A JSON Web Token implementation in Objective-C.
MIT License
351 stars 107 forks source link

JWS Compact Serialization #179

Closed jayfar closed 6 years ago

jayfar commented 6 years ago

I am successfully able to use this library to generate a RS256 JWT token from my application. The token and public key are successfully verified using the debugger at http://jwt.io

However, when I attempt to use my generated JWT on a server using the .NET System.IdentityModel.Tokens.Jwt (https://www.nuget.org/packages/System.IdentityModel.Tokens.Jwt/), it fails with an error indicating it is not in JWS compact format.

I see the .net code is trying to match a the JWT with this regular expression:

^[A-Za-z0-9-]+.[A-Za-z0-9-]+.[A-Za-z0-9-_]*$

Refs: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/d771b5c3ef22b7ff065e8fad1a63d6a2937b7d7f/src/System.IdentityModel.Tokens.Jwt/JwtSecurityToken.cs#L52

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/af5e5c2b0100e8348c63e2d2bb45612e2080841e/src/System.IdentityModel.Tokens.Jwt/JwtConstants.cs#L56

My JWT generated from this library contains '=', '/' and '+' characters which would indeed fail the above regex check.

Is this a JWS Compact Serialization vs Non Compact Issue?

Does this library support JWS Compact Serialization? If not, Is there an easy modification I can make to generate JWS Compact Serialization?

https://tools.ietf.org/html/rfc7515#section-7.1

jayfar commented 6 years ago

After a bit more digging into this library code, I found this optional dependency... https://github.com/soheilbm/Base64 by looking here: https://github.com/yourkarma/JWT/blob/a8829959acd7fbc79bdb47f433e3b9243e1c304f/Core/Supplement/JWTBase64Coder.m#L21

Without it, on iOS, the library will generate JWT that contains '=', '/' and '+' characters (only Base64 encoded and not Base64URL encoded). Once I added the Base64 library, this library started generating compact JWT that passed the .NET checks and worked.

If I would have used this Project's CocoaPods install method, rather than manually oopying the source code into my project, I would not have had this issue of the missing optionally dependent library.

Hopefully this followup helps someone in the future.