-
Notifications
You must be signed in to change notification settings - Fork 377
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong alg
used in header for Ed25519 keys
#334
Comments
I think you are correct. Now I wonder how we could make this right. The feature has been out in the wild for a pretty long time already and encoded tokens get this incorrect I would suggest:
Maybe start printing some warning of the usage of the algorithm |
I just ran into this when trying to use a Ruby-generated token in an Elixir app. The Elixir library is using the |
Just out of curiosity, what Elixir library is this? My biggest concern is that if it is just changed to something else old ruby-jwt<-> new ruby-jwt compatibility will at least break. |
If you are in control of the token generation you could change the constant controlling this locally: |
Yes, I found that and it worked when generating the tokens. I think for now I'm going to fork the gem and ensure it will decrypt both |
But apparently this Joken component is expecting the EdDSA algorithms to have the exact curve used in the |
Ah, that's a good point. Possibly Joken is not implementing the RFC correctly either. |
Btw. I think the easiest workaround is just to monkeypatch the
|
I was looking into actually generating the tokens with the correct Specifically, the conditionals on I've made a quick monkeypatch on my side to override this and allow EDIT: nevermind, I was mistaken. By changing |
I would suggest introducing a breaking change and change the header handling to be inline what the RFC and world is expecting for the version 3.0.0 |
Wow, still broken in 2024. I don't know if this is the optimal patch, but it for sure is easy: module JWTExtensions
def encode_header
# https://github.com/jwt/ruby-jwt/blob/main/lib/jwt/encode.rb#L17
@headers["alg"] = @headers["alg"].downcase == "ed25519" ? "EdDSA" : @headers["alg"]
super
end
end
module JWT
class Encode
prepend JWTExtensions
end
end |
Instead of redefining the constant (which triggers a Ruby warning), a way of patching this without warning would be to remove the constant and set it again: JWT::JWA::Eddsa.send(:remove_const, "SUPPORTED")
JWT::JWA::Eddsa.const_set("SUPPORTED", ["Ed25519"]) |
There has been some work done to extract the algorithms that require external dependencies to separate gems. EdDSA being the first one that got that treatment. The goal is to remove the algorithm without native support from this gem in the future. Check out https://rubygems.org/gems/jwt-eddsa for eddsa support with a alg header according to the rfc. |
This algorithm is now only supported via the gem mentioned. |
The example tokens in this library use
"alg": "ED25519"
, but the related spec seems to suggest that it be"EdDSA"
instead.https://tools.ietf.org/html/rfc8037#appendix-A.4
The text was updated successfully, but these errors were encountered: