Skip to content

Fix "typ" header value in NimbusJwtEncoder-encoded JWT #18270

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jzheaux merged 3 commits into from
Dec 15, 2025
Merged

Fix "typ" header value in NimbusJwtEncoder-encoded JWT #18270

jzheaux merged 3 commits into from
Dec 15, 2025
+115 −1

Conversation

@ziqin
Copy link
Contributor

@ziqin ziqin commented Dec 5, 2025
edited
Loading

This PR fixes gh-18269 by passing a constant string "JWT" to JwsHeader.Builder::type(String type).

This PR doesn't generate RFC 9068 compliant JWT access tokens. Should we add a configuration method to NimbusJwtEncoder and SecretKeyJwtEncoderBuilder / RsaKeyPairJwtEncoderBuilder / EcKeyPairJwtEncoderBuilder to support generating RFC 9068 JWT access tokens?

I am not sure whether it affects compatibility with the existing support for RFC 9068, e.g., the JwtValidators.AtJwtBuilder.

ziqin added 2 commits December 5, 2025 21:18
@ziqin
Test NimbusJwtEncoder & NimbusJwtDecoder symmetrically
12f2622 
This test encodes an JWT with NimbusJwtEncoder, and then decodes it with
NimbusJwtDecoder.

This test will fail when NimbusJwtEncoder emits a JWT with a wrong `typ'
parameter in the header, as NimbusJwtDecoder validates the JWT with
JwtTypeValidator by default.  It may be beneficial for finding out other
similiar bugs too.

Signed-off-by: Ziqin Wang <ziqin@wangziqin.net>
@ziqin
Fix "typ" header value in NimbusJwtEncoder-encoded JWT
a3a66aa 
Closes spring-projectsgh-18269

Signed-off-by: Ziqin Wang <ziqin@wangziqin.net>
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 5, 2025
@ziqin ziqin marked this pull request as ready for review December 5, 2025 13:47
@jzheaux
Polish Tests
5651793 
Issue spring-projectsgh-18269

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
@jzheaux
Copy link
Contributor

jzheaux commented Dec 15, 2025

Thanks for the PR, @ziqin. Will you please open a separate ticket to discuss handling the JWT type and RFC 9068 tokens?

@jzheaux jzheaux self-assigned this Dec 15, 2025
@jzheaux jzheaux added type: bug A general bug in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 15, 2025
@jzheaux jzheaux added this to the 7.0.1 milestone Dec 15, 2025
@jzheaux jzheaux merged commit 964fcac into spring-projects:main Dec 15, 2025
6 checks passed
@jzheaux
Copy link
Contributor

jzheaux commented Dec 15, 2025

Thanks for the PR, @ziqin! This is now merged into main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jzheaux jzheaux

Labels

in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug

Projects

None yet

Milestone

7.0.1

Development

Successfully merging this pull request may close these issues.

NimbusJwtEncoder produces JWT with wrong "typ" header value

3 participants

@ziqin @jzheaux @spring-projects-issues