Allow custom claims - made addClaim public by ThStock · Pull Request #232 · auth0/java-jwt · GitHub
Skip to content

Allow custom claims - made addClaim public#232

Closed
ThStock wants to merge 1 commit into
auth0:masterfrom
ThStock:master
Closed

Allow custom claims - made addClaim public#232
ThStock wants to merge 1 commit into
auth0:masterfrom
ThStock:master

Conversation

@ThStock

@ThStock ThStock commented Jan 19, 2018

Copy link
Copy Markdown

No description provided.

@lbalmaceda

Copy link
Copy Markdown
Contributor

@lbalmaceda lbalmaceda closed this Jan 19, 2018
@ThStock

ThStock commented Jan 20, 2018

Copy link
Copy Markdown
Author

@lbalmaceda will a push with the following content have more success?

    public Builder withAccess(Object access) {
      addClaim(PublicClaims.ACCESS, access);
      return this;
    }

Background: I want to access a docker registry with an auth token

Like this implementation in go:

@lbalmaceda

Copy link
Copy Markdown
Contributor

Changing the name of the claim won't change it's type. It's just the same as your first comment.

I guess your idea is to send the requirements that the docker token must have inside the JWT payload, and then request that docker token from the client. The requirements I see in the go implementation link you shared are strings type and name, and actions which is an array. Because this library doesn't allow you to put map-like structures you'd flatten it like this:

//..
String token = JWT.create()
        .withClaim("dkr.typ", "token type")
        .withClaim("dkr.nam", "token name")
        .withArrayClaim("dkr.act", ["write", "read", "etc"])
        .sign(algorithm);

@ThStock

ThStock commented Jan 22, 2018

Copy link
Copy Markdown
Author

A valid communication is possible with the following. So the only missing method was withAccess
...

String token = JWT.create()
          .addClaim("access", ImmutableList.of("..."))
          .withIssuer("Some Issuer")
          .withAudience(service)
          .withKeyId("...")
          ...
          .sign(algorithm);

@ThStock

ThStock commented Jan 25, 2018

Copy link
Copy Markdown
Author

@lbalmaceda Do you think this has a chance?

@lbalmaceda

Copy link
Copy Markdown
Contributor

No. We don't support that kind of structure. You need to convert the "access" claim value to some structure we can support. I've already proposed you a workaround in my previous comment.

Currently supported classes for custom JWT Claim creation and verification are: Boolean, Integer, Double, String, Date and Arrays of type String and Integer.

See: https://github.com/auth0/java-jwt#payload-claims

@sagebind

Copy link
Copy Markdown

It seems very odd to me to disallow setting claims of custom data types when creating a JWT, when you can deserialize custom types when parsing/verifying. Why does Claim.as(Class<T> tClazz) exist if there's no way to get custom types into your token in the first place?

@lbalmaceda

Copy link
Copy Markdown
Contributor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants