Skip to content

Fix JWT validation for Clerk tokens with non-string header fields#6

Merged
kageiit merged 1 commit into
mainfrom
debug/jwks-logging
May 12, 2026
Merged

Fix JWT validation for Clerk tokens with non-string header fields#6
kageiit merged 1 commit into
mainfrom
debug/jwks-logging

Conversation

@optimus-primal
Copy link
Copy Markdown

@optimus-primal optimus-primal Bot commented May 12, 2026

Summary

Fixes JWT validation failures caused by Clerk adding oiat (integer) and cat (string) fields to JWT headers.

  • Root cause: jsonwebtoken v10's Header.extras is typed as HashMap<String, String>, which rejects non-string values during deserialization. Clerk's new oiat field is an integer, causing decode_header() and decode() to fail before signature validation even begins.
  • Fix: Use gitarcode/jsonwebtoken fork (497fdb4) that changes extras to HashMap<String, serde_json::Value> (cherry-pick of upstream Keats/jsonwebtoken#496)
  • Cherry-pick upstream clerk-rs PR #282 (jsonwebtoken v9→v10)
  • Cherry-pick upstream clerk-rs PR #280 (make nbf optional)
  • Add jwt_debug example for local JWT validation testing

@kageiit
Fix JWT validation for Clerk tokens with non-string header fields
6a8598e 
Clerk recently started adding `cat` (string) and `oiat` (integer) fields to JWT
headers. jsonwebtoken v10's Header.extras uses HashMap<String, String> which
rejects non-string values, causing all JWT validation to fail with deserialization
errors.

Fix: use gitarcode/jsonwebtoken fork with HashMap<String, serde_json::Value> for
extras (upstream PR Keats/jsonwebtoken#496). Also cherry-picks upstream clerk-rs
PR DarrenBaldwin07#282 (jsonwebtoken 10) and PR DarrenBaldwin07#280 (nbf optional).
@kageiit kageiit merged commit 372e7d0 into main May 12, 2026
@paulkarcher paulkarcher mentioned this pull request May 12, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kageiit kageiit kageiit approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kageiit