Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only some registered claims can be optionally required #378

Open
WalkerGriggs opened this issue Feb 7, 2024 · 1 comment
Open

Only some registered claims can be optionally required #378

WalkerGriggs opened this issue Feb 7, 2024 · 1 comment

Comments

@WalkerGriggs
Copy link

👋 I noticed that only a subset of the registered claims can be configured to be required.

PR #351, for example, adds the requireExp field to the core Validator.

Other fields like iat are hard-coded to not be required.

jwt/validator.go

Lines 117 to 119 in 6bcdd9d

if err = v.verifyIssuedAt(claims, now, false); err != nil {
errs = append(errs, err)
}

We also have a 'expected' claims like expectedIss which are hard-coded to be required.

jwt/validator.go

Lines 130 to 134 in 6bcdd9d

if v.expectedIss != "" {
if err = v.verifyIssuer(claims, v.expectedIss, true); err != nil {
errs = append(errs, err)
}
}

Semantically, I find the line between "expected" and "required" to be extremely thin. I propose moving to a system like expiratedAt where no required field is hard-coded and all can be configured with ParserOptions

jwt/validator.go

Lines 102 to 107 in 6bcdd9d

// We always need to check the expiration time, but usage of the claim
// itself is OPTIONAL by default. requireExp overrides this behavior
// and makes the exp claim mandatory.
if err = v.verifyExpiresAt(claims, now, v.requireExp); err != nil {
errs = append(errs, err)
}

This change would standardize on a two boolean system for each registered claims:

  • WithFoo which determines which claims should be verified if provided. For example, see WithIssuedAt and WithIssuedAt
  • WithFooRequired which determines which claims should be required. For example, see WithExpirationRequired

The existing API (from what I can see) will remain the same. This change would only add ParserOption funcs to fill in the missing gaps.

I'd be happy to work on a PR. Is this a welcome change? Does anyone have any feedback?
@oxisto
Copy link
Collaborator

oxisto commented Feb 8, 2024
edited
Loading

That's a good point. To be honest, we didn't pay too much intention on the internal naming of "required" vs "expected". As long as the existing API will stay the same, I am open to fill the gaps with some parser options, provided this will not "explode" in the sense that there are now dozens of these functions, we somehow need to maintain and make sure that we "never" change them (at least in this major version).

For me, what would be important is that the STANDARD behaviour, i.e., without any options is exactly as specified in the RFC. Any additional expectations and requirements are up to the user, but we should not diverge from the standard.

TL;DR: Yes. Please go ahead, but be mindful in the changes introduced and expect that it will take some time until we finally decide to merge such a PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@WalkerGriggs @oxisto