Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[proposal] Improvements to the verification API #239

Closed
mirceanis opened this issue Aug 1, 2022 · 1 comment · Fixed by #242
Closed

[proposal] Improvements to the verification API #239

mirceanis opened this issue Aug 1, 2022 · 1 comment · Fixed by #242
Labels
enhancement New feature or request released

Comments

@mirceanis
Copy link
Member

Is your feature request related to a problem? Please describe.

The verification of JWT/JWS uses exceptions to signal failures, but this creates a problem in distinguishing between legitimate failures (bad signature, invalid audience, timestamp issue, etc) and exceptional situations (network timeout while resolving DID, malformed input, unsupported algorithm, etc).

I propose separating these 2 scenarios internally so that users get a better idea about what failed and so that control flow for invalid JWTs no longer relies on parsing error messages.

Describe the solution you'd like
The result of verifyJWT() should be an object with a verified property set to true only when signature, timestamps, and audience are valid, and false otherwise.
When one of the validation criteria fails, the reason can be returned as an error code with a message.
verifyJWT() should not throw errors.

The verification options should accept a now parameter for checks involving past/future validity, or allow the user to disable timestamp checking. Similarly, it should be possible to skip audience checking (although, this is already indirectly possible by pre-inspecting the desired audience).

Describe alternatives you've considered
The desired behavior can already be achieved by calling verifyJWS directly for signature checks and by performing timestamp and audience checking out of band, but that defeats the purpose of having a library to do this.

Another acceptable solution would be to introduce a new method (verifyJWTSafe) that can give detailed reasons for failure without using exceptions for flow control, while leaving the existing verifyJWT method intact for backward compatibility.

Please add your opinion about this subject if you have one.
@mirceanis mirceanis added the enhancement New feature or request label Aug 1, 2022
mirceanis pushed a commit that referenced this issue Aug 12, 2022
@daniyal-khalil
feat: add JWT verification policies to override timestamp checking (#241
2934f4c 
)

relates to #239, partially closes it
mirceanis added a commit that referenced this issue Aug 15, 2022
@mirceanis
feat: add aud override policy for verification
b4cdd12 
fixes #239
@mirceanis mirceanis mentioned this issue Aug 15, 2022
Merged
mirceanis added a commit that referenced this issue Aug 18, 2022
@mirceanis
feat: add aud override policy for verification (#242)
87cbfd0 
* feat: add `aud` override policy for verification
* feat: add `verified` property to `JWTVerified` result
* feat: define and export known error prefixes

closes #239
uport-automation-bot pushed a commit that referenced this issue Aug 18, 2022
@semantic-release-bot
chore(release): 6.5.0 [skip ci]
e19331d 
# [6.5.0](6.4.0...6.5.0) (2022-08-18)

### Features

* add `aud` override policy for verification ([#242](#242)) ([87cbfd0](87cbfd0)), closes [#239](#239)
@uport-automation-bot
Copy link
Collaborator

🎉 This issue has been resolved in version 6.5.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@mirceanis mirceanis mentioned this issue Aug 18, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add aud override policy for verification decentralized-identity/did-jwt
2 participants
@mirceanis @uport-automation-bot