Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There is no "typ" header in version 2.0.0 #233

Closed
ptarud opened this issue Sep 12, 2017 · 8 comments
Closed

There is no "typ" header in version 2.0.0 #233

ptarud opened this issue Sep 12, 2017 · 8 comments
Assignees
@excpt
Labels
discussion documentation

Comments

@ptarud
Copy link

ptarud commented Sep 12, 2017
edited by excpt
Loading

Why there is no type header in version 2.0.0 ?
@ptarud ptarud changed the title There is no "typ" header in new version There is no "typ" header in new version (2.0.0) Sep 12, 2017
@excpt
Copy link
Member

excpt commented Sep 13, 2017

The typ header field is optional.

See: #174 and https://tools.ietf.org/html/rfc7519#section-5.

Does this change cause any issues for you?

@excpt excpt changed the title There is no "typ" header in new version (2.0.0) There is no "typ" header in version 2.0.0 Sep 13, 2017
@excpt excpt self-assigned this Sep 13, 2017
@excpt excpt modified the milestone: Version 2.1.0 Sep 13, 2017
@ptarud
Copy link
Author

ptarud commented Sep 22, 2017
edited
Loading

Not, but I think that for other people could be generate a issue if they use other media types in addition to JWT token. I have included it by my self, but I think would be better to include "typ" header on JWT token by default.

@lleger
Copy link

lleger commented Oct 3, 2017

After upgrading to 2.0, my tests were failing. Took me a second to realize it was because of this change. The token fixture I had included the typ param but new tokens did not — thus the failure. This is a fine change, so I’m chiming in here to help anyone else searching for test failures after upgrading to 2.0.

@excpt
Copy link
Member

excpt commented Oct 5, 2017

@lleger Thank you very much for offering help. 🥇

@excpt excpt closed this as completed Sep 16, 2019
@thegreyfellow
Copy link

Hi, I just want to know if starting v2.2.1 the JWT created will always include in the header by default the entry :

"typ": "JWT"

or not?

@Seitk
Copy link

Seitk commented Mar 16, 2020

another way around, JWT was a default header before 2.0.0
removed by this PR
https://github.com/jwt/ruby-jwt/pull/174/files

timlkelly added a commit to timlkelly/bigcommerce-api-ruby that referenced this issue Dec 19, 2020
@timlkelly
Add JWT typ header
a8b9550 
The 'typ' header is no longer included by default with the ruby-jwt gem.
See this issue: jwt/ruby-jwt#233
@chriso0710
Copy link

I would like to comment on this (unfortunately) closed issue.
It does not make much sense to me to remove the "typ" from the default headers. I think, the typ should be set by default to "JWT". A missing typ header is prone to causing all kinds of problems and took me a couple of hours to debug in a netlify environment. See details here:
https://community.netlify.com/t/identity-role-based-access-control-across-subdomains/29957/12

@eric-hemasystems
Copy link

FYI, Auth0 started rejecting JWT tokens without the typ specified. Specifying it manually restored functionality.

eric-hemasystems pushed a commit to eric-hemasystems/sync_attr_with_auth0 that referenced this issue Feb 18, 2021
Case 187141 - Bump Dependencies
c6c7df5 
For BloodRelay I want to use a newer version of the Auth0 library.
URI.escape has been throwing deprecation warnings for a while but
now it's removed from Ruby 3 which means we need to be on a newer
version of Auth0 that no longer uses that method[1].

Had to decide if we want to stay on the 4.x series of Auth0 or the
5.x series due to a breaking change in `create_user` (or have our
library detect the version and call with the right arguments)[2]. I
opted to require v5 since it is better tested against recent versions
of Ruby[3].

Upgrading the auth0 gem required moving to the 2.2.x series of the JWT
library. The method doing the base64 encoding of the JWT signature has
moved. Also the `typ` header is no longer generated[4]. It seems it is
not required by the spec but Auth0 does require it so adding it as
a parameter manually. The algorithm param is the same as the default.
I just had to specify it to pass in header options.

Other than these library upgrades and the code changes caused by the
upgrades this commit includes no change in functionality. The test
suite passes but since it's heavily mocked I'll also note I have already
tested this against an upgraded version of BR to verify it really
doesn't break anything (this is how the `typ` thing was discovered).

1. auth0/ruby-auth0#202
2. auth0/ruby-auth0#244
3. auth0/ruby-auth0#256
4. jwt/ruby-jwt#233
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@excpt excpt

Labels
discussion documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@lleger @excpt @chriso0710 @ptarud @Seitk @thegreyfellow @eric-hemasystems