-
-
Notifications
You must be signed in to change notification settings - Fork 221
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
why the exp and iat put in the header section of the jwt? #73
Comments
That appears to be an oversight, yeah! |
itsdangerous implements JWS (with some extra headers in the timed case), not JWT. Looking at the JWS spec, the only reference I can find to the headers you mention is in the payload of one of the example, where the payload is unrelated to the example. JWS itself doesn't define a payload format so it can't define how to store those fields there. You appear to be looking at the JWT spec in the "claims" section. |
Oops sorry, I didn't really see that either! |
I didn't see that part. I think we could just cut a new release with the change though that will invalidate all Flask sessions. |
Isn't that what semver is for? |
Yes of course |
I don't understand why this was reopened. You're still looking at JWT, not JWS. Just because we added extra headers (which is allowed in the spec) that are similar to JWT claims, doesn't make this JWT. Changing the current implementation would force all payloads to be dicts. As I've said in other issues about JWT and JWE, I'm fine with adding more serializers, if someone wants to implement one. |
Yes but the pr linked by @reubano indicated that Armin intended to implement JWT |
Yeah, I understand that, at the time I guess the specs were ambiguous so they ended up with JWS with the time extension. Again, adding a separate serializer seems fine to me, now that everything's settled, but that's not what this issue was about. |
If we do want to implement more of the JW* specs, I'd like to see this split into a package, it's already pretty unwieldy as a single file. |
The intention of that other issue always seems to have been JWS, based on the name. Armin seems to just be commenting on the fact that JWT has a spec for timing that JWS lacks. I agree with his other observation that this whole thing is a mess. 🙁 |
Whatever it is, I think we should decide on supporting JWT to end this once and for all. |
seems I misunderstood the code.. |
Hi, Please, move exp and iat to payload, otherwise it is incompatible with JWT specs and (at least) angular-jwt Thanks! |
Contributions are welcome, but as stated we're not breaking the JWT spec because we're following the JWS spec. |
Closing this. The current serializer implements JWS, not JWT. The JWS spec does not include expiration, but does allow extra keys in the header, and we use that. If you're having trouble parsing a token, make sure whatever library you're using is parsing JWS, not JWT. I also difficult to justify the added maintenance burden to implement and support JWT, when there are other Python projects that implement it. If you'd like to use JWT with the API provided by ItsDangerous, there are enough customization points to plug your JWT library of choice into a new Serializer subclass. |
I read the latest offical doc
and font that exp and iat is usually put in the payload part instead of header section.
should I use this or remove it and pyjwt instead??
The text was updated successfully, but these errors were encountered: