Allow at+jwt, according to RFC-9068

[ymajoros]

Closes 13185

[pivotal-cla]

@ymajoros Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

[pivotal-cla]

@ymajoros Thank you for signing the Contributor License Agreement!

[jzheaux]

@ymajoros, thank you very much for the PR. I don't think that it should be in JwtDecoders, but NimbusJwtDecoder. Also, it is missing the needed validation. Please see my comment about what needs to be done to add this support.

[jzheaux]

@ymajoros, I don't think we should add this feature without also introducing validation. Allow me to elaborate on what I meant here.

I think it would be valuable for NimbusJwtDecoder's builders to turn off the Nimbus typ validation so that applications can better choose which validation types, JWT, at+jwt, etc. they want to support.

The builders could change like so:

NimbusJwtDecoder.withIssuerLocation(issuer)
    .useNimbusTypeVerifier(false).build();

Then, we can change JwtValidators to add typ validation by default similar to Nimbus, allowing the following:

NimbusJwtDecoder decoder = NimbusJwtDecoder.withIssuerLocation(issuer)
    .useNimbusTypeVerifier(false).build();
decoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(issuer));

to remain an otherwise passive change.

Then, this PR would also introduce a new validator for at+jwt, something like:

JwtValidators.createDefaultForAtJwt(issuer);

So then to turn on at+jwt support, that would look like this:

NimbusJwtDecoder decoder = NimbusJwtDecoder.withIssuerLocation(issuer)
    .useNimbusTypeVerifier(false).build();
decoder.setJwtValidator(JwtValidators.createDefaultForAtJwt(issuer));

Is this something you'd still be interested in putting together? If not, I can mark this as ideal-for-contribution so others know that it's available.

[ymajoros]

@ymajoros, I don't think we should add this feature without also introducing validation. Allow me to elaborate on what I meant here.

I think it would be valuable for NimbusJwtDecoder's builders to turn off the Nimbus typ validation so that applications can better choose which validation types, JWT, at+jwt, etc. they want to support.

The builders could change like so:

NimbusJwtDecoder.withIssuerLocation(issuer)
    .useNimbusTypeVerifier(false).build();

Then, we can change JwtValidators to add typ validation by default similar to Nimbus, allowing the following:

NimbusJwtDecoder decoder = NimbusJwtDecoder.withIssuerLocation(issuer)
    .useNimbusTypeVerifier(false).build();
decoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(issuer));

to remain an otherwise passive change.

Then, this PR would also introduce a new validator for at+jwt, something like:

JwtValidators.createDefaultForAtJwt(issuer);

So then to turn on at+jwt support, that would look like this:

NimbusJwtDecoder decoder = NimbusJwtDecoder.withIssuerLocation(issuer)
    .useNimbusTypeVerifier(false).build();
decoder.setJwtValidator(JwtValidators.createDefaultForAtJwt(issuer));

Is this something you'd still be interested in putting together? If not, I can mark this as ideal-for-contribution so others know that it's available.

Hello, thanks for the analysis. TBH, I created this years ago because a colleague from security asked for it, but I don't even work there anymore and I won't follow this in any case. I just think being able to follow standards is always a good option, but I have no sponsor or personal interest in this anymore.

Thanks for your feedback, anyway.

[jzheaux]

No problem at all @ymajoros -- I like making sure before making a change like that to a PR, so thank you for responding as quickly as you did.

I've moved this to ideal-for-contribution to invite others to contribute and complete the PR.

[jzheaux]

I've been talking with the team about this, and since it likely has a flag that will require migration between 6.5 and 7, I'll take this up myself instead.