Skip to content

Canonical JWT encoding #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Canonical JWT encoding #6

wants to merge 1 commit into from

Conversation

@yfuruyama
Copy link

@yfuruyama yfuruyama commented Nov 14, 2014

From perl v5.18, the key order of hash is randomized and two JSON encoded strings may be different even if they come from same structure of hash.

Encoding to JWT has same problem.

#!/usr/bin/env perl
use v5.18;
use JSON::WebToken;

for (1..3) {
    my $claims = {
        sub => '1234',
        iss => 'dave',
        aud => 'tom',
    };

    say encode_jwt $claims, 'secret'; 
}

This simple sample code says

eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJ0b20iLCJzdWIiOiIxMjM0IiwiaXNzIjoiZGF2ZSJ9.bajTuYDNPetfv_Zb3OGDgSutIDq5HY6aKC9H9y1PfD4
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0IiwiaXNzIjoiZGF2ZSIsImF1ZCI6InRvbSJ9.z2lVlConVX2YKT7xrpe4EE7IneVQTFcRjtqPxpT_xjM
eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJkYXZlIiwic3ViIjoiMTIzNCIsImF1ZCI6InRvbSJ9.104dgCS4l4l49igJ4Z07PA3hVp_AGQmdTRe5uB2h2Kc

Encoding results are completely deferent even if they have same claims.

JWT spec doesn't refer to above things but I think the same JWT claims should have exactly same JWT string.

This pull-req is intended to fix that problem by using canonical JSON encoding.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yfuruyama