jws: Decode ignores private claims

[SamWhited]

jws.Encode properly encodes private claims, however, jws.Decode ignores private claims and the resulting structure only contains the standard claims. It should also populate the "Private Claims" field.

The following modification to TestSignAndVerify will currently fail:

func TestSignAndVerify(t *testing.T) {
    header := &Header{
        Algorithm: "RS256",
        Typ:       "JWT",
    }
    payload := &ClaimSet{
        Iss: "http://google.com/",
        Aud: "",
        Exp: 3610,
        Iat: 10,
        PrivateClaims: map[string]interface{}{
            "priv": 1.0,
        },
    }

    privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
    if err != nil {
        t.Fatal(err)
    }

    token, err := Encode(header, payload, privateKey)
    if err != nil {
        t.Fatal(err)
    }

    claims, err := Decode(token)
    if err != nil {
        t.Fatal(err)
    }

    priv, ok := claims.PrivateClaims["priv"]
    if !ok || priv.(float64) != payload.PrivateClaims["priv"] {
        t.Fatal("Private claims did not decode")
    }

    err = Verify(token, &privateKey.PublicKey)
    if err != nil {
        t.Fatal(err)
    }
}

EDIT: Since there doesn't appear to be an easy way to fix this issue in the jws package with encoding/json, I've temporarily vendored an inefficient patch in my code that decodes the JWS twice: once into the claims struct, and once into the PirvateClaims map and then deletes the standard claims from the private claims map. Obviously this is not ideal.

[ramoas]

@SamWhited Yes, reuse of the existing types is currently difficult if you need customization. I recently raised Issue #193 to request extensibility of Header along the lines of ClaimSet.PrivateClaims. Hopefully, some more consideration for extensibility for both types will be provided so you're not forced into vendoring or outright code duplication.

[SamWhited]

Closing since the JWS package is now deprecated and there are several duplicate issues.