Comments (12)
I would vote for either of the first options.
There are quite a few JWT libraries for Java, but none that I can find with full support for EdDSA and most are resolutely trying to support JDK 8, which is holding them back from supporting it.
Great to see movement on this.
from fusionauth-jwt.
Thanks for the feedback @Yaytay.
from fusionauth-jwt.
Yeah one of the reasons I picked this library is it seems updated, just the right size code base wise, and well supported.
Since you guys are newer smaller library (so hopefully less angry users on JDK upgrade) maybe we can get JDK 17 baseline and EdDSA support soon?
from fusionauth-jwt.
RFC specifying this: https://tools.ietf.org/html/rfc8037
from fusionauth-jwt.
Java supports EdDSA: https://openjdk.java.net/jeps/339
from fusionauth-jwt.
I could add support for this in the library, but this feature was included in Java 15. Ideally I'd only anchor to Java LTS releases.
So I could:
- Increase the min. requirement from Java 8 to Java 17
- Build a separate jar named
fusionauth-jwt-eddsa
that requires Java 17, but the base library still remains at 8 - I may be able to implement it w/out binding to any new interfaces and just use reflection. If this works, then this algorithm would only work when running on >= Java 17
from fusionauth-jwt.
Hacking a bit on this branch
from fusionauth-jwt.
See also
from fusionauth-jwt.
One technique to the whole Java 17 issue that I have used several times is to use the ServiceLoader pattern. Write the ED part as a separate jar and if its included on the classpath it automatically is available. This is sort of like the reflection changes @robotdan talked about but it is far more canonical than a reflection hack (as well as Graal native friendly).
I was looking at @robotdan changes to make EdDSA support work to see what is required to add a new algorithm and it appears the way things are currently designed with heavy use of enums that it would be a lot of work to add pluggable algorithms (and would probably require a major version change).
Most of the problem is the enums but there are also classes that are essentially a merge of all the algorithms (JSONWebKey iirc).
It is a shame though because I see value in having all the algorithms as modules (e.g. separate jars with a MET-INF/services registration) as folks could choose only the algorithms they want and say to their security team that there is no way they accidentally generate with some other algorithm... well maybe that is a dumb reason but it would make the deployed size every so slightly smaller.
from fusionauth-jwt.
If I can find an evening to hack on the branch I started, I may be able to finish it.
from fusionauth-jwt.
Taking a stab at a major version release of this library to make it more extendable, and taking my EdDSA branch and moving it to a new repo to prove the theory.
- https://github.com/FusionAuth/fusionauth-jwt/tree/degroff/extendable
- https://github.com/FusionAuth/fusionauth-jwt-eddsa
- https://github.com/FusionAuth/fusionauth-jwt-unsecured
If it all holds together, I should get this out soon.
from fusionauth-jwt.
Getting closer. I re-worked the branch and use the java.util.ServiceLoader
which is a bit cleaner than what I was doing prior.
from fusionauth-jwt.
Related Issues (20)
- Add x5c and verify public key against x5c when extracting a public key from a JSON Web Key HOT 6
- io.fusionauth:fusionauth-jwt:4.0.1 has security vulnerabilities HOT 4
- README improvements
- Configurable timeouts on UrlConnection HOT 6
- Upgrade to Java >= 14? HOT 7
- Create a RSASigner.newSHA256Signer which supports PrivateKey instance HOT 2
- Wrong module descriptor HOT 10
- Will Grant Negotiation and Authorization Protocol (GNAP) working code be made available soon? HOT 2
- Embedding JWK does not yield an interoperable result HOT 3
- Overriding "configureMessageConverters" in spring HOT 2
- How to gen a jwk with kid? HOT 3
- 2047 vs. 2048 HOT 2
- Android 7 - Base64 NoClassDefFoundError HOT 1
- Decode expired JWT throws Exception HOT 2
- Best way to pull out "kid" to pick verifier? HOT 4
- Support Function<String,Verifier> for kid mapping HOT 2
- "The JWT could not be de-serialized." HOT 4
- Need Ability to Extend `Header` class HOT 2
- Fix padding on the EC signature when decoding `r` and `s` from the DER encoded value HOT 1
- thread safety
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fusionauth-jwt.