Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
Description
The JWS validation is currently broken.
The validation fails in certain cases even if the jwt is valid.
The problem is due to some json reordering on reconstructing the jws to validate.
E.g. if the header of the JWS is
{"kid":"bilbo.baggins@hobbiton.example", "alg":"RS256"}
the validation algorithm reconstruct the jws upon validation as
{ "alg":"RS256", "kid":"bilbo.baggins@hobbiton.example"}
and consequently the signature would not match any longer