Header decode compatibility issue

[duclm2609]

I currently have a problem with header decode. I have 2 services, one in Golang and one in Java. The JWT token is created on Java service using jjwt library (https://github.com/jwtk/jjwt). The header after decode is, for e.g: {"typ":"JWT","alg":"RS256"} but currently in this library you are hardcode it as following:

func createHeaderRaw(alg string) []byte {
	if header := fixedHeaders[alg]; header != nil {
		return header.raw
	}

	return []byte(`{"alg":"` + alg + `","typ":"JWT"}`)
}

which produce output: {"alg":"RS256","typ":"JWT"}. Clearly the content are the same but the check is failed since you are compare them byte by byte. I would suggest another check which using map. I can create a pull request if it's possible.
Thank you for your great work.

[kataras]

Hello @duclm2609, for known algorithms (like RS256) the fixedHeaders are used (for performance boost), we can just add the typ:..., alg:.. forms too :) There is no need to support custom header/map at the moment (although it's not hard to do it).

EDIT: I think your issue with the java libray is that it accepts the golang one, but this golang jwt library does not accept the java's one because the order is different, right? If that's the case, then the issue is not on the createHeaderRaw itself but it's on the decodeToken (which calls the createHeaderRaw, we should modify that part to be able to understand the opossite form too). Note that, normally, this is the "correct" JWT specification form, that our kataras/jwt library uses.

[geordee]

On the header decode compatibility issue, the typ header is optional as per the specs.

I have a provider which creates JWT without the typ header, and some additional parameters (JWS). Is it possible to make the call to compareHeader optional using a flag?

[cfeeling]

I also met this issue when verifying the JWT token which was created by some library in other language. They added some additional keys in that header, and I must not modify the implementation in that library.

On my side, I would like to use my custom function to compare header of token, which is done by build-in compareHeader (

jwt/token.go

Line 159 in 9f23c50

func compareHeader(alg string, headerDecoded []byte) bool {

) right now, if it is possible.

Thanks for your work, it already makes my work more easier!

[kataras]

Sorry for the delay @cfeeling, @geordee. I've just pushed a commit and a new tag 0.0.9 which exports the CompareHeader so you can modify it globally.

Merry Christmas 🎄 🎅🏽 🤶🏽

[cfeeling]

Sorry for the delay @cfeeling, @geordee. I've just pushed a commit and a new tag 0.0.9 which exports the CompareHeader so you can modify it globally.

Merry Christmas 🎅🏽 🤶🏽

Thanks, it is one of nice things in this holiday!

I could use it as resetting the public variable CompareHeader right now, thats great!

Happy New Year, dear @kataras @geordee

[kataras]

Thanks @cfeeling, exactly! Happy new year 😊🙌🥳

[kataras]

Hello @duclm2609 and @cfeeling.

I've just pushed v0.1.0, get it with:

$ go get -u github.com/kataras/jwt@latest

which contains new more methods: SignWithHeader and VerifyWithHeaderValidator to support custom headers and public key validation per-token (e.g jwt key ids/amazon and e.t.c.). Please take a look at the complete example at: https://github.com/kataras/jwt/blob/main/_examples/custom-header/main.go

[cfeeling]

Hello @duclm2609 and @cfeeling.

I've just pushed v0.1.0, get it with:

$ go get -u github.com/kataras/jwt@latest

which contains new more methods: SignWithHeader and VerifyWithHeaderValidator to support custom headers and public key validation per-token (e.g jwt key ids/amazon and e.t.c.). Please take a look at the complete example at: https://github.com/kataras/jwt/blob/main/_examples/custom-header/main.go

Hi @kataras , I received your message now, but I'm busy recently. I will be back and response ASAP when I was free, thanks for your work.

[kataras]

Hi @cfeeling no worries, take your time.