You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We would like to have a Hapi route that allows two different sets of JWT tokens (with different issuers, audiences, and schemes). I thought that I could configure a route strategies for this; however, @hapi/jwt's errors always include error messages, which causes Hapi to reject the request (see here) rather than continue to the next scheme.
Do you have a new or modified API suggestion to solve the problem?
If I understand correctly, @hapi/jwt currently validates the timestamp, then audience, then issuer, then other token values, then the signature:
It seems to me that this is out of order and that a better approach would be the following:
If an issuer is configured, then check the issuer. If the issuer does not match, then the current @hapi/jwt scheme is not responsible for this JWT and fails with a no-message unauthorized result so that Hapi continues authentication with the next configured strategy.
Validate the signature, to avoid leaking information about valid audiences/etc. if there's no valid signature.
Validate the remaining payload.
If this is too big a change (e.g., due to backward compatibility concerns or processing costs of retrieving and validating signatures), then could the issuer check be moved first, and add some sort of ignoreUnknownIssuer option be added to allow a no-message unauthorized result if the issuer doesn't match?
The text was updated successfully, but these errors were encountered:
Runtime
Node.js
Runtime version
18.18.2
Module version
3.2.0
Used with
Hapi 21
Any other relevant information
No response
What problem are you trying to solve?
We would like to have a Hapi route that allows two different sets of JWT tokens (with different issuers, audiences, and schemes). I thought that I could configure a route strategies for this; however, @hapi/jwt's errors always include error messages, which causes Hapi to reject the request (see here) rather than continue to the next scheme.
Do you have a new or modified API suggestion to solve the problem?
If I understand correctly, @hapi/jwt currently validates the timestamp, then audience, then issuer, then other token values, then the signature:
It seems to me that this is out of order and that a better approach would be the following:
If this is too big a change (e.g., due to backward compatibility concerns or processing costs of retrieving and validating signatures), then could the issuer check be moved first, and add some sort of
ignoreUnknownIssuer
option be added to allow a no-message unauthorized result if the issuer doesn't match?The text was updated successfully, but these errors were encountered: