JWT with JSON body seen as plaintext JWT

[maximedn]

Hi,

We are facing a this behavior when using the latest release of jjwt (0.9.1):

When parsing the claims of a token that has a JSON body using Jwts.parser().[...].parseClaimsJws(token), the token is seen as a plaintext JWT. Here is what the token contains:

Header:

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "iss": "XXX",
  "scope": "XXX",
  "onBehalfOf": "",
  "aud": " ",
  "locale": "",
  "iat": 1636109922773,
  "exp": 1636110522773,
  "jti": "ID"
}

Apparently, the token payload contains an extra \r\n at the end, which makes it interpreted as a plaintext jwt, see this line:

jjwt/impl/src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java

Line 333 in 3e6c9e9

if (!payload.isEmpty() && payload.charAt(0) == '{' && payload.charAt(payload.length() - 1) == '}') { //likely to be json, parse it:

Is it a normal behavior ? Should the JWT be seen as plaintext when it doesn't end exactly with } ?

Thank you !

[lhazlewood]

Hi Maxime!

Out of curiosity, what made you believe 0.9.1 was the latest JJWT release? It's actually 0.11.2 (at the time I'm writing this) per https://github.com/jwtk/jjwt#install

That said, I'm not sure that 0.11.2 will solve your problem.

Compact JWT bodies can represent both plaintext as well as JSON, so we have to use heuristics (the line you quoted) to do our best to try and figure out if it might be JSON or not. Based on this issue, we need to update our code to ignore any whitespace before or after the first and last { and } characters respectively. (Or potentially even just try to parse the string no matter what, and if not valid JSON, fall back to a String or byte array).

And while we need to do that, I do have to say:

The entire point of compact JWTs is to save space: whatever library that produced your JWT should not be using whitespace anywhere in the JSON structure (other than in JSON member names and values themselves as necessary) - it should be as flat and minimal as possible with no extra whitespace anywhere as that only defeats the purpose of the notion of 'compact'. Could you reach out to whoever produced that JWT to see if they can fix it on their end as well?

[bmarwell]

Hi @lhazlewood,

I just found out that a JWT body created by JJWT (+compact) will have a leading whitespace character (\n).

// Edit: It was JSON-B on OpenLiberty. They need an extra "sstrip()" call.

[stale]

This issue has been automatically marked as stale due to inactivity for 60 or more days. It will be closed in 7 days if no further activity occurs.

[lhazlewood]

This was resolved via 760c542 by

jjwt/impl/src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java

Lines 509 to 517 in a6792d9

	if (!hasContentType(header) // If there is a content type set, then the application using JJWT is expected
	// to convert the byte payload themselves based on this content type
	// https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.10 :
	//
	// "This parameter is ignored by JWS implementations; any processing of this
	// parameter is performed by the JWS application."
	//
	&& isLikelyJson(payload)) { // likely to be json, parse it:
	Map<String, ?> claimsMap = deserialize(payload, "claims");

and
https://github.com/jwtk/jjwt/blob/a6792d938fd89b96fb38d22268962cfb8e742552/impl/src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java#L230C11-L230C11