Skip to content

Fix "typ" header value in NimbusJwtEncoder-encoded JWT#18270

Merged
jzheaux merged 3 commits intospring-projects:mainfrom
ziqin:gh-18269
Dec 15, 2025
Merged

Fix "typ" header value in NimbusJwtEncoder-encoded JWT#18270
jzheaux merged 3 commits intospring-projects:mainfrom
ziqin:gh-18269

Conversation

@ziqin
Copy link
Copy Markdown
Contributor

@ziqin ziqin commented Dec 5, 2025
edited
Loading

This PR fixes gh-18269 by passing a constant string "JWT" to JwsHeader.Builder::type(String type).

This PR doesn't generate RFC 9068 compliant JWT access tokens. Should we add a configuration method to NimbusJwtEncoder and SecretKeyJwtEncoderBuilder / RsaKeyPairJwtEncoderBuilder / EcKeyPairJwtEncoderBuilder to support generating RFC 9068 JWT access tokens?

I am not sure whether it affects compatibility with the existing support for RFC 9068, e.g., the JwtValidators.AtJwtBuilder.

ziqin added 2 commits December 5, 2025 21:18
@ziqin
Test NimbusJwtEncoder & NimbusJwtDecoder symmetrically
12f2622 
This test encodes an JWT with NimbusJwtEncoder, and then decodes it with
NimbusJwtDecoder.

This test will fail when NimbusJwtEncoder emits a JWT with a wrong `typ'
parameter in the header, as NimbusJwtDecoder validates the JWT with
JwtTypeValidator by default.  It may be beneficial for finding out other
similiar bugs too.

Signed-off-by: Ziqin Wang <ziqin@wangziqin.net>
@ziqin
Fix "typ" header value in NimbusJwtEncoder-encoded JWT
a3a66aa 
Closes spring-projectsgh-18269

Signed-off-by: Ziqin Wang <ziqin@wangziqin.net>
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 5, 2025
@ziqin ziqin marked this pull request as ready for review December 5, 2025 13:47
@jzheaux
Polish Tests
5651793 
Issue spring-projectsgh-18269

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
@jzheaux
Copy link
Copy Markdown
Contributor

jzheaux commented Dec 15, 2025

Thanks for the PR, @ziqin. Will you please open a separate ticket to discuss handling the JWT type and RFC 9068 tokens?

@jzheaux jzheaux self-assigned this Dec 15, 2025
@jzheaux jzheaux added type: bug A general bug in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 15, 2025
@jzheaux jzheaux added this to the 7.0.1 milestone Dec 15, 2025
@jzheaux jzheaux merged commit 964fcac into spring-projects:main Dec 15, 2025
6 checks passed
@jzheaux
Copy link
Copy Markdown
Contributor

jzheaux commented Dec 15, 2025

Thanks for the PR, @ziqin! This is now merged into main.

@ziqin
Copy link
Copy Markdown
Contributor Author

ziqin commented Dec 16, 2025

@jzheaux

I've opened gh-18325 for discussion about RFC 9068 JWT access token generation.

@ziqin ziqin deleted the gh-18269 branch December 17, 2025 06:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jzheaux jzheaux

Labels

in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug

Projects

None yet

Milestone

7.0.1

Development

Successfully merging this pull request may close these issues.

NimbusJwtEncoder produces JWT with wrong "typ" header value

3 participants

@ziqin @jzheaux @spring-projects-issues