Mandatory JWT Key Length Assertions

[lhazlewood]

Too many submitted issues are submitted like "My key on service A works, but it's not working with JJWT". This is basically because:

1. The user uses a String key that is not Base64-encoded as the JJWT signWith JavaDoc clearly documents, or:
2. The key is rarely of the mandatory length required by the JWT specification.

This issue represents the work to throw an exception if invalid keys are used to sign or verify a JWT, namely when using the setSigningKey or signWith methods.

The JWT RFC REQUIRES that key lengths meet guaranteed minimums depending on the algorithm strength chosen, and too many people don't do this. Because JJWT is a spec-compliant library, it must enforce Specification-mandated behavior.

See https://stackoverflow.com/a/40274325/407170 for more information.

[milazzo-g]

Hi, I see that io.jsonwebtoken.SignatureAlgorithm is deprecated in 0.12.3 and there's no assertValidSigningKey method (or similar) in Jwts.SIG. How can I perform validation?

KR.