Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
JwtParser needs a setVerifyingKey API
See original GitHub issueThe token signature validation requires the caller to specify a signing key. It does not make it obvious that this is a verify operation.
JwtParser setSigningKey(byte[] key);
JwtParser setSigningKey(String base64EncodedKeyBytes);
JwtParser setSigningKey(Key key);
In RsaSignatureValidator, the isValid method does a signature verification if the passed key is an instance of type PublicKey. If passed an instance of type PrivateKey, it signs the data again and compares signature.
But at JWTParser layer, the following APIs will provide a more clear description of the operation:
JwtParser setVerifyingKey(byte[] verifyingKey);
JwtParser setVerifyingKey(String base64EncodedVerifyKeyBytes);
JwtParser setVerifyingKey(PublicKey publicKey);
However setSigningKey keys has to be retained for backward compatibility.
setVerifyingKey can also help scenarios where a token issuer service is different from a token validator, and the private key need not to be shared among them.
Issue Analytics
- State:
- Created 7 years ago
- Comments:8 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
This is better self-documenting - I think it’s a good addition. Thanks for the issue!
Just noting that this isn’t as simple as expected: the
SigningKeyResolverinterface, its adapter, and anything else referencing such needs to be refactored. This is a change that’s probably better left for 1.0 (or at least a release after the more urgent 0.10.0 release).