JwtParser throws wrong exception when signing key is HMAC but token signed with RSA

[mbarkley]

Given:

• A parser with an HS256 signing key.
• Key was specified using JwtParser.setSigningKey(String base64Encoded).
• Token being parsed is signed with algorithm RS256.
• Using the parseClaimsJws(String) method.
• Using jjwt-impl version 0.10.5

Expected:

• A JwtException of some kind.

Observed:

• An IllegalArgumentException with the following message: "Key bytes can only be specified for HMAC signatures. Please specify a PublicKey or PrivateKey instance."

[lhazlewood]

I think I understand what you're saying - let me reformulate it to see if we're on the same page:

The current exception indicates that the jws specified is an illegal argument because of how the parser was configured. But this isn't obvious because the internal parser key is expecting a different type of JWS, so that should be made more obvious/explicit with a more concrete JwtException - that explains not just that the argument was illegal, but why it was illegal. Is that correct?

If so (and I think that's what you're saying), I agree with you, but we can't change runtime exception types until a major version increase (i.e. 1.0). This is because any existing logic expecting to catch IllegalArgumentException today wouldn't trigger at all if we change the exception type.

As such, I can assign this to a v 1.0 tag. Please confirm.

[mbarkley]

But this isn't obvious because the internal parser key is expecting a different type of JWS, so that should be made more obvious/explicit with a more concrete JwtException - that explains not just that the argument was illegal, but why it was illegal. Is that correct?

Yes, that's correct.

I agree with you, but we can't change runtime exception types until a major version increase (i.e. 1.0). This is because any existing logic expecting to catch IllegalArgumentException today wouldn't trigger at all if we change the exception type.

Understood. Thanks for following up.

[lhazlewood]

Thanks for the clarification!

[NagaAtLv]

@mbarkley Hey, how did you get away with this exception, may i know how did you resolve it?

[mbarkley]

@NagaAtLv we catch the IllegalArgumentException and treat it as an authentication error (i.e. the token has the wrong kind of signature). It's not ideal because it could potentially obscure other non security errors that throw that exception type, so we've tried to put the catch at the lowest level possible to avoid catching other errors accidentally.

[NagaAtLv]

@mbarkley Thanks for the prompt response, it is rather surprising, when i tried to parse the token generated through Azure AD, i can view the json object on jwt.io and other parsing websites... so i just wondering how can i get past this one.

[KaustubhJha-TUL-UpperFunnel]

Did you find a solution ? Creating a new HmacKey by jeo4j gives the exception below that one and creation of new public/private key also gives error

[Tejshri47]

@NagaAtLv have you got solution on this I am also facing same exception while working on AzureAD