-
-
Notifications
You must be signed in to change notification settings - Fork 431
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow passing in additional jwt headers #392
Allow passing in additional jwt headers #392
Conversation
This PR is based on #390. Please let me know what I can do to make the PR qualify for merge. Thanks! |
You may already be doing this, but if you are allowing users to specify this algorithm, make sure you are very careful about discouraging (maybe even explicitly disallowing) the use of the I notice some places where |
Thanks for the heads-up. I wonder: the PR is for code that creates the token, but the vulnerabilities you refer to seems to be about the verification of tokens, right? I do think indeed we should help developers to the right thing. |
You're correct about create/verify, but this code that creates the token should make it difficult (or IMHO impossible) to create an unsecured token. |
I agree and thanks for confirming my understanding of your remark. I hope the reviewer can assess if my approach at least makes it not too easy to forget passing in an signing alg. |
I will not allow passing class MyClientSecretJWT(ClientSecretJWT):
alg = 'HS512' |
I think that's indeed what my PR allows (and that was my intention) and that PR is merged. And I'm really happy with that (I like this better then having to subclass), but @lepture's remark is confusing. |
And thanks @lepture for accepting the PR!! |
@bjmc @janwijbrand I've modified the code 38ac0d2 |
Ah, that clarifies it. Out of curiosity, may I ask why you prefer subclassing here over passing in a parameter when instantiating? |
I can't speak for lepture, but I think it's safer because it makes it harder for a novice user to accidentally pass an insecure algorithm (especially |
What kind of change does this PR introduce? (check at least one)
Does this PR introduce a breaking change? (check one)
Referencing #391
I'd like to pass in addtional JWT headers into the client assertion, such as the kid so the recipient of the token can find the corresponding key at the registered JWKS endpoint.
Describe the solution you'd like
When setting up an PrivateKeyJWT() instance to register as client auth method, I'd like to pass in additional JWT headers such as the kid.