Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The typ header should be optional in the JWT plugin #1191

Closed
subnetmarco opened this issue May 5, 2016 · 1 comment
Closed

The typ header should be optional in the JWT plugin #1191

subnetmarco opened this issue May 5, 2016 · 1 comment
Assignees
@thibaultcha

Comments

@subnetmarco
Copy link
Member

Plugin does not handle Bearer tokens that do not have the "typ":"JWT" in the header. Per https://tools.ietf.org/html/rfc7519#section-5 the use of the typ header is optional:

To reproduce, using information from https://getkong.org/plugins/jwt/:

curl http://kong:8001/apis/ \
--data 'request_path=/ifconfig' \
--data 'upstream_url=http://ifconfig.io/' \
--data 'strip_request_path=true'

curl http://kong:8001/apis/ifconfig/plugins \
--data "name=jwt"

curl http://kong:8001/consumers \
--data "username=ui"

curl http://kong:8001/consumers/ui/jwt \
--data "algorithm=HS256" \
--data "key=a36c3049b36249a3c9f8891cb127243c" \
--data "secret=e71829c351aa4242c2719cbfbe671c09"

curl -i http://kong:8000/ifconfig \
-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhMzZjMzA0OWIzNjI0OWEzYzlmODg5MWNiMTI3MjQzYyIsImV4cCI6MTQ0MjQzMDA1NCwibmJmIjoxNDQyNDI2NDU0LCJpYXQiOjE0NDI0MjY0NTR9.AhumfY35GFLuEEjrOXiaADo7Ae6gt_8VLwX7qffhQN4'

The above works as expected. However, if the header does not include "typ" a 500 error is returned:

curl -i http://kong:8000/ifconfig \
-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhMzZjMzA0OWIzNjI0OWEzYzlmODg5MWNiMTI3MjQzYyIsImV4cCI6MTQ0MjQzMDA1NCwibmJmIjoxNDQyNDI2NDU0LCJpYXQiOjE0NDI0MjY0NTR9.AqN3-JN_JZoqqvaOTtb_8QBnqYQ5_tXYsQHBUAsHKak'

A 500 error is returned.

I am using the docker image mashape/kong:0.8.1
@sean-sageify sean-sageify mentioned this issue May 6, 2016
Closed
@sean-sageify
Copy link
Contributor

Created pull request for change. Tested locally fine.

@subnetmarco subnetmarco mentioned this issue May 20, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thibaultcha thibaultcha

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@subnetmarco @thibaultcha @sean-sageify