Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

do not escape slashes in json_encoding of jwt components #41

Merged
merged 2 commits into from
Jul 29, 2015
Merged

do not escape slashes in json_encoding of jwt components #41

merged 2 commits into from
Jul 29, 2015

Conversation

nsfinkelstein
Copy link
Contributor

Currently when we sign JWTs, we get JSON representations of the HEADER and PAYLOAD, and we escape slashes in that json encoding.

This is problematic because if the payload is originally base64 encoded without escaped slashes, then verification of that JWT will fail.

If the JWT is generated using this library, then there is no problem because the slashes are escaped before the JWT the header and payload are base64 encoded as well. However, while using this library in conjunction with other code that does not escape slashes before base64 encoding the payload and header, verification will fail.

I can see no reason to escape slashes. This is a pull request to stop escaping slashes in the JWT head and payload before base64 encoding them to be signed.

@odino
Copy link
Contributor

odino commented Jul 20, 2015

hey @n-s-f, thanks for this! Though Im not sure i entirely understood the original issue -- would you mind adding a test case for that?

@odino
Copy link
Contributor

odino commented Jul 26, 2015

ping @n-s-f :)

@nsfinkelstein
Copy link
Contributor Author

@odino

Thanks for getting to me!

Here's the issue:

Let's say I have a payload of:

{
   'iss': 'Y/Y/Y', 
   'aud': 'X/X/X'
}

Then, when I load my JWS from the base64url encoded token, I will get a php array:

[
   'iss' => 'Y/Y/Y',
   'aud' => 'X/X/X
]

Now, when I go verify the signature, I need to json_encode the payload again to regenerate the base64url encoded string that was signed. But now, I get:

{
   'iss': 'Y\/Y\/Y', 
   'aud': 'X\/X\/X'
}

When I generate a base64url encoded token from that JSON, it naturally turns out differently than the token generated from the original JSON, which is the token that was originally signed.

Therefore, verification fails.

This does not present itself as a problem when using this library to verify JWTs generated by this library, because the same lines of code I change in this pull request also escape slashes the JSON before the base64url encoded token is generated to be signed.

However, as demonstrated, verification fails if the JWT is created with JSON that includes slashes in a language that does not auto-escape slashes upon JSON encoding (i.e. any other language).

I have added a test to demonstrate the issue. Without my patch, the test I've added would fail.

Thanks very much!
Noam

@odino
Copy link
Contributor

odino commented Jul 29, 2015

👍

odino added a commit that referenced this pull request Jul 29, 2015
@odino
Merge pull request #41 from n-s-f/master
0b3af07 
do not escape slashes in json_encoding of jwt components
@odino odino merged commit 0b3af07 into namshi:master Jul 29, 2015
@odino
Copy link
Contributor

odino commented Jul 29, 2015

it's in 6.0.0. Updated the major version as an earlier commit dropped support for php 5.3 :)

@nsfinkelstein
Copy link
Contributor Author

@odino Thanks!

@adrienbrault adrienbrault mentioned this pull request Nov 20, 2015
Closed
@paukenba paukenba mentioned this pull request Sep 27, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nsfinkelstein @odino