Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CTY header is not set for JWE

See original GitHub issue

I’m using the following code to issue my JWEs:

var signCreds = new SigningCredentials(new SymmetricSecurityKey(Encoding.ASCII.GetBytes(Configuration["Jwt:SigningKey"])), SecurityAlgorithms.HmacSha256);
var encryptionCreds = new EncryptingCredentials(new SymmetricSecurityKey(Encoding.ASCII.GetBytes(Configuration["Jwt:Encryptionkey"])), SecurityAlgorithms.Aes128KW, SecurityAlgorithms.Aes128CbcHmacSha256);

var handler = new JwtSecurityTokenHandler();


var jwtSecurityToken = handler.CreateJwtSecurityToken(
  Configuration["Jwt:Issuer"],
  Configuration["Jwt:Audience"],
  new ClaimsIdentity(claims),
  DateTime.UtcNow,
  expiresIn,
  DateTime.UtcNow,
  signCreds,
  encryptionCreds);

But it doesn’t specify “cty” header of the token - just only alg, enc and typ. If I understand correctly, the header must be set for encrypted JWT so I have an issue while parsing the token in golang because of the headers absence.

I also tried the following ways to issue JWE:

var signCreds = new SigningCredentials(new SymmetricSecurityKey(Encoding.ASCII.GetBytes(Configuration["Jwt:SigningKey"])), SecurityAlgorithms.HmacSha256);
var encryptionCreds = new EncryptingCredentials(new SymmetricSecurityKey(Encoding.ASCII.GetBytes(Configuration["Jwt:Encryptionkey"])), SecurityAlgorithms.Aes128KW, SecurityAlgorithms.Aes128CbcHmacSha256);

var handler = new JwtSecurityTokenHandler();

var tokenDescriptor1 = new SecurityTokenDescriptor
  {
     Audience = "you",
     Issuer = "me",
     Subject = new ClaimsIdentity(claims),
     EncryptingCredentials = encryptionCreds
};

var tokenDescriptor2 = new SecurityTokenDescriptor
  {
     Audience = "you",
     Issuer = "me",
     Subject = new ClaimsIdentity(claims),
     EncryptingCredentials = encryptionCreds,
     SigningCredentials = signCreds
};

var tokenDescriptor3 = new SecurityTokenDescriptor
  {
     Audience = "you",
     Issuer = "me",
     Subject = new ClaimsIdentity(claims),
     EncryptingCredentials = encryptionCreds,
     SigningCredentials = signCreds,
     AdditionalHeaderClaims = new Dictionary<string, object> { { "cty", "JWT" } }
   };

var enc = handler.CreateEncodedJwt(tokenDescriptor1);
var encSigned = handler.CreateEncodedJwt(tokenDescriptor2);
var encSignedWithCty = handler.CreateEncodedJwt(tokenDescriptor3);

But have the same result:

image

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:6 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
DShauchuk-IBAcommented, Nov 19, 2019

Thank you for the quick answer.

I’m using go-jose library for parsing JWT.

0reactions
CumpsDcommented, Jun 8, 2022

Perhaps a silly question, but does this code mean a cty header will always be present when creating a JWT?

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/System.IdentityModel.Tokens.Jwt/JwtHeader.cs#L389-L404

        internal void AddAdditionalClaims(IDictionary<string, object> additionalHeaderClaims)
        {
            if (additionalHeaderClaims?.Count > 0 && additionalHeaderClaims.Keys.Intersect(DefaultHeaderParameters, StringComparer.OrdinalIgnoreCase).Any())
                throw LogHelper.LogExceptionMessage(new SecurityTokenException(LogHelper.FormatInvariant(LogMessages.IDX12742, nameof(additionalHeaderClaims), string.Join(", ", DefaultHeaderParameters))));

            if (additionalHeaderClaims != null)
            {
                if (!additionalHeaderClaims.TryGetValue(JwtHeaderParameterNames.Cty, out _))
                    Cty = JwtConstants.HeaderType;

                foreach (string claim in additionalHeaderClaims.Keys)
                    this[claim] = additionalHeaderClaims[claim];
            }
            else
                Cty = JwtConstants.HeaderType;
        }

since that is being called in the ctor

Read more comments on GitHub >

github_iconTop Results From Across the Web

NET Core JWE: no "cty" header
I'm using the following code to issue my JWEs: var signCreds = new SigningCredentials(new SymmetricSecurityKey(Encoding.ASCII.GetBytes( ...
Read more >
JWEHeader.Builder (Nimbus JOSE + JWT v5.1) - javadoc.io
Creates a new JWE header builder with the parameters from the specified header. ... Parameters: cty - The content type parameter, null if...
Read more >
JWT, JWS and JWE for Not So Dummies! (Part I)
The JWT specification only defines two elements (typ and cty) in the JOSE header and both the JWS and JWE specifications extend it...
Read more >
RFC 7516 - JSON Web Encryption (JWE)
These Header Parameter values are not integrity protected. This can only be present when using the JWE JSON Serialization. JWE Compact Serialization A ......
Read more >
Header Checker - JWT Framework
When you receive a JWT (JWS or JWE), it is important to check its headers before any other action. In case something went...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Single-item-claim-array when using ClaimValueTypes.Json changing schema

Next page

RSA-OAEP-256 not in SupportedAlgorithms.IsSupportedRsaAlgorithm()