Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid issuer. Expected [], received <none> (JWT::InvalidIssuerError) after upgrading from 2.8.2 to 2.9.0 #618

Closed
tpaulshippy opened this issue Sep 19, 2024 · 6 comments
Closed

Invalid issuer. Expected [], received <none> (JWT::InvalidIssuerError) after upgrading from 2.8.2 to 2.9.0 #618

tpaulshippy opened this issue Sep 19, 2024 · 6 comments
Assignees
@anakinj
Labels
bug

Comments

@tpaulshippy
Copy link

Issue: InvalidIssuerError is raised even though no specific issuer was specified. There was no error in 2.8.2

Sample code to illustrate the issue:

require "jwt"
hmac_secret = 'my$ecretK3y'
payload = { data: "test" }

# Encode
token = JWT.encode payload, hmac_secret, "HS256"

puts token

decoded_token = JWT.decode token, hmac_secret, true, {
  verify_iss: true,
  algorithm: "HS256"
}

puts decoded_token

Running in 2.8.2 --
image

Running the same code in 2.9.0 --
image
@tpaulshippy
Copy link
Author

Workaround:

verify_iss: false

@tpaulshippy
Copy link
Author

Same issue happens with verify_aud

@anakinj
Copy link
Member

anakinj commented Sep 20, 2024

Thanks for reporting. Probably some regression not covered by tests. Taking a look.

@tpaulshippy
Copy link
Author

Yeah once I realized that my use case was not really valid (verify the issuer that I'm not actually providing), I wasn't as concerned and fixed my code to provide the issuer. But I suspect I'm not the only one who may have made this mistake. I could see a future major version actually raising an error if you ask it to verify something without providing the info needed to verify it.

@anakinj
Copy link
Member

anakinj commented Sep 20, 2024

There has been some comments that the way the verification is enabled is not that intuitive, needing to pass both verify_iss: true and issparameters, could be enough to just pass the expected list of issuers to enable this validation.

@anakinj anakinj self-assigned this Sep 20, 2024
@anakinj anakinj added the bug label Sep 20, 2024
@anakinj anakinj mentioned this issue Sep 20, 2024
Merged
2 tasks
@anakinj anakinj closed this as completed Sep 23, 2024
@anakinj
Copy link
Member

anakinj commented Sep 23, 2024

Fixed in v2.9.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@anakinj anakinj

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anakinj @tpaulshippy