Closed
Description
Describe the bug
The default (and only) JWK set builder considers all "keys" members as secret, even if the set contains only public keys.
In turn, this results in a failure to serialize the set using Jackson redacted data cannot be serialized.
To Reproduce
To repro
- Add Jackson to the classpath
- Create a JWK for a public key
- Add that JWK to a JWKSet using the builder
- Attempt to serialize that set using Jackson's ObjectMapper
A complete example follows.
dependencies {
implementation("io.jsonwebtoken:jjwt-api:0.12.6")
runtimeOnly("io.jsonwebtoken:jjwt-impl:0.12.6")
runtimeOnly("io.jsonwebtoken:jjwt-jackson:0.12.6")
}static void jwkSetUnexpectedlyPrivate(RSAPublicKey pubKey) throws Exception {
final ObjectMapper jacksonMapper = new ObjectMapper();
final RsaPublicJwk pubJwk = Jwks.builder()
.key(pubKey)
.build();
// PASS; unredacted human-readable form
pubJwk.toString();
// PASS; unredacted
jacksonMapper.writeValueAsString(pubJwk);
// When in set, now redacted
final JwkSet jwkSet = Jwks.set()
.add(pubJwk)
.build();
// FAIL? Redacted; Possibly a safe default, not terribly problematic for debug statements
jwkSet.toString();
// FAIL; Throws an exception. Prevents exposure of the set for external consumption of public keys.
jacksonMapper.writeValueAsString(jwkSet);
// com.fasterxml.jackson.databind.exc.InvalidDefinitionException: No serializer found for class
// io.jsonwebtoken.impl.lang.RedactedSupplier and no properties discovered to create BeanSerializer
// (to avoid exception, disable SerializationFeature.FAIL_ON_EMPTY_BEANS)
// (through reference chain: io.jsonwebtoken.impl.security.DefaultJwkSet["keys"])
}Expected behavior
- It is expected that sets are either conditionally redacted based on whether their content is redacted,
OR this behavior can be configured in some way to allow proper serialization. - It should be possible to serialize a JwkSet using Jackson
Screenshots
See code sample above.
Metadata
Metadata
Assignees
Labels
No labels