JWT support for Scala. Bonus extensions for Play, Play JSON, Json4s, Circe, uPickle, Spray and Argonaut
APACHE-2.0 License
Bot releases are visible (Hide)
Published by pauldijou about 8 years ago
Published by pauldijou over 8 years ago
audience
is now Set[String]
rather than just String
inside Claim
according to JWT spec. API using String
still available.org.bouncycastle.util.Arrays.constantTimeAreEqual
to check signature rather than home made function.Published by pauldijou over 8 years ago
Add leeway
support in JwtOptions
Published by pauldijou over 8 years ago
Support for Circe 0.3.0
Published by pauldijou over 8 years ago
Support for Play Framework 2.5.0
Published by pauldijou over 8 years ago
Fix bug not-escaping quotation mark "
when stringifying JSON.
Published by pauldijou almost 9 years ago
Thanks to @dwhitney , JWT Scala
now has support for Circe. Check out samples and Scaladoc.
When decoding, JWT Scala
also performs validation. If you need to decode an invalid token, you can now use a JwtOptions
as the last argument of any decoding function to disable validation checks like expiration, notBefore and signature. Read the Options section of the core sample to know more.
Since 2.4, Play assign null
as default value for some configuration keys which throw a ConfigException.Null
in TypeSafe config lib. This should be fixed with the new configuration system at some point in the future. In the mean time, all calls reading the configuration will be wrapped in a try/catch to prevent that.
Published by pauldijou about 9 years ago
Fix tricky bug inside all JSON libs not supporting correctly the none
algorithm.
Published by pauldijou about 9 years ago
Thanks a lot to @drbild for helping review the code around security vulnerabilities.
All the sub-projects are now released directly on Maven Central. Since Sonatype didn't accept pdi
as the groupId, I had to change it to com.pauldijou
. Sorry about that, you will need to quickly update your build.sbt
(or whatever file contains your dependencies).
Good news Those changes don't impact the jwt-play
lib, only low level APIs.
All decoding and validating methods with a key: String
are now removed for security reasons. Please use their counterpart which now needs a 3rd argument corresponding to the list of algorithms that the token can be signed with. This list cannot mix HMAC and asymetric algorithms (like RSA or ECDSA). This is to prevent a server using RSA with a String key to receive a forged token signed with a HMAC algorithm and the RSA public key to be accepted using the same RSA public key as the HMAC secret key by default. You can learn more by reading this article.
// Before
val claim = Jwt.decode(token, key)
// After (knowing that you only expect a HMAC 256)
val claim = Jwt.decode(token, key, Seq(JwtAlgorithm.HS256))
// After (supporting all HMAC algorithms)
val claim = Jwt.decode(token, key, JwtAlgorithm.allHmac)
If you are using SecretKey
or PublicKey
, the list of algorithms is optional and will be automatically computed (using JwtAlgorithm.allHmac
and JwtAlgorithm.allAsymetric
respesctively) but feel free to provide you own list if you want to restrict the possible algorithms. More security never killed any web application.
Why not deprecate them? I considered doing that but I decided to enforce the security fix. I'm pretty sure that most people only use one HMAC algorithm with a String key and it will force them to edit their code but it should be a minor edit since you usually only decode tokens once or twice inside a code base. The fact that the project is still very new and at a 0.x
version played in the decision.
Fix a security vulnerability around timing attacks.
Add implicit class to convert JwtHeader
and JwtClaim
to JsValue
or JValue
. See examples for Play JSON or examples for Json4s.
// Play JSON
JwtHeader(JwtAlgorithm.HS256).toJsValue
JwtClaim().by("me").to("you").about("something").issuedNow.startsNow.expiresIn(15).toJsValue
// Json4s
JwtHeader(JwtAlgorithm.HS256).toJValue
JwtClaim().by("me").to("you").about("something").issuedNow.startsNow.expiresIn(15).toJValue
Published by pauldijou about 9 years ago
Same as 0.4.0
but targeting Play 2.3
Published by pauldijou over 9 years ago
Published by pauldijou over 9 years ago
Option
from API. Now, it's either nothing or a valid key. It shouldn't have a big impact since the majority of users were using valid keys already.Tuple3
, the last part representing the signature is now a String
rather than an Option[String]
.SecretKey
for HMAC algorithmsPrivateKey
and PublicKey
for RSA and ECDSA algorithmsJwtAsymetricAlgorithm
is either a RSA or a ECDSA algorithm)
method(...)
method(..., key: String, algorithm: JwtAlgorithm)
method(..., key: SecretKey, algorithm: JwtHmacAlgorithm)
method(..., key: PrivateKey/PublicKey, algorithm: JwtAsymetricAlgorithm)
Use PrivateKey
when encoding and PublicKey
when decoding or verifying.
{"algo":"none"}
header was incorrectly supportedPublished by pauldijou over 9 years ago
No code change from 0.0.6, just more doc and tests.
Published by pauldijou over 9 years ago
Add support for Json4s (both Native and Jackson implementations)
Published by pauldijou over 9 years ago
We should be API ready. Just need more tests and scaladoc before production ready.