Version v5.2.0 is breaking our code

[juliangp]

Hi,

We upgraded to v5.2.0 and our JWT tokens no longer parse as they do not contain the JWT header type (and I don't think that we can get this fixed any time soon).

This is the commit that broke us: 14ac6af

Is there any chance of making this test optional?

Thanks

[cristaloleg]

Hey, sorry for the trouble. That's an interesting case.

Can you clarify why your tokens don't have 'typ:"JWT"' ? (or another value if any)

Also https://datatracker.ietf.org/doc/html/rfc7519#section-5.1

[frankdvd]

Hi @cristaloleg The "typ" field in a JSON Web Token (JWT) is an optional field. According to the JWT specification (RFC 7519), it's used to specify the token type. However, it's not required, and many JWT implementations don't include it. So, maybe we should check the type only when it exists?

[cristaloleg]

Yeah, that's another solution that came to my mind.

However, it looks very unintuitive 'cause sometimes it does a check and sometimes not.

[cristaloleg]

Right now I see this as the simplest fix:

token, err := jwt.Parse(...) // or any other parse function from jwt
if err != nil {
    if !errors.Is(err, jwt.ErrNotJWTType) {
        // bad token data or bad signature or ...
    }
    // proper token BUT 'typ' field is not 'JWT'
}

[juliangp]

Hi, I do not own the service that provides the token but as far as I can see the header only contains alg and kid.

[juliangp]

I will try your suggestion above - thanks.

[cristaloleg]

Again, sorry for the trouble. I hope it didn't end up as an emergency.

Please confirm if the solution above works for you. If so, I will document that. Thanks!

[juliangp]

Hi, unfortunately your suggestion does not work because the token is coming back as nil?

[cristaloleg]

Ah, indeed, can you check this PR #148 ?

[cristaloleg]

New minor version https://github.com/cristalhq/jwt/releases/tag/v5.3.0

[juliangp]

@cristaloleg thanks for the fix, it is not very intuitive for an optional header but it does work!