Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add validation for JWT type #1220

Closed
leastprivilege opened this issue Jul 17, 2019 · 6 comments
Closed

Add validation for JWT type #1220

leastprivilege opened this issue Jul 17, 2019 · 6 comments
Assignees
@mafurman
Labels
Customer reported Indicates issue was opened by customer Enhancement The issue is a new feature P2 Little less important, but we would like to do this
Milestone
5.6.0

Comments

@leastprivilege
Copy link
Contributor

According to the latest JWT BCP - different types of JWTs should use different values for the typ header field.

https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-06#section-3.11

It would be useful to have a ValidType property on the TokenValidationParameters to be able to easily add this validation check.
@leastprivilege leastprivilege mentioned this issue Jul 17, 2019
Open
@brentschmaltz brentschmaltz added Enhancement The issue is a new feature P1 More important, prioritize highly Customer reported Indicates issue was opened by customer labels Jul 18, 2019
@brentschmaltz brentschmaltz modified the milestones: 6.x, 5.x Release Jul 18, 2019
@brentschmaltz
Copy link
Member

After investigating, we will probably want to make this change in 5.x and 6.x

@brentschmaltz
Copy link
Member

This is a bit involved as we should enable a rule set based on type as covered in 3.12

@leastprivilege
Copy link
Contributor Author

I am think for now it would be totally sufficient to check the typ value.

@brentschmaltz
Copy link
Member

@leastprivilege agreed.
We can think about the future so we don't box ourselves in.

@brentschmaltz brentschmaltz modified the milestones: 6.x, 5.6.0 Oct 8, 2019
@mafurman
Copy link
Member

mafurman commented Oct 14, 2019
edited by brentschmaltz

@leastprivilege We will add a 'ValidTypes' property on TokenValidationParameters that will be a collection of strings. Matching will be case-sensitive-ordinal. By default, we will accept all types, but if the property is set we will only allow those types.

@mafurman mafurman added P2 Little less important, but we would like to do this and removed P1 More important, prioritize highly labels Oct 14, 2019
@leastprivilege
Copy link
Contributor Author

sounds good- thanks!

@mafurman mafurman mentioned this issue Oct 17, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mafurman mafurman

Labels
Customer reported Indicates issue was opened by customer Enhancement The issue is a new feature P2 Little less important, but we would like to do this
Projects
None yet
Milestone
5.6.0
Development

No branches or pull requests
3 participants
@leastprivilege @brentschmaltz @mafurman