rnewson commented on issue #5838: URL: https://github.com/apache/couchdb/issues/5838#issuecomment-3726233262
The simple answer is that the at+jwt RFC came out after our JWT implementation and no one has tried such tokens against couchdb before you. That said, you shouldn't get a case_clause error. The bug is here https://github.com/apache/couchdb/blob/main/src/jwtf/src/jwtf.erl#L177. That line should read `{_, _}` instead, and that way we'd return a sensible error message. There are two principles in the jwtf application to note here: 1) the _administrator_ can decide which claims are required to be in presented tokens. 2) _couchdb_ insists that all presented claims are valid, regardless of whether they are required. The latter requirement is a security precaution; not to accept malformed tokens. Adding support for RFC 9068 looks like it's more than merely allowing `typ` to be `at+jwt` so this is an enhancement rather than a bug fix (we should fix the bug I mentioned in the second para though): https://www.rfc-editor.org/rfc/rfc9068.html#name-validating-jwt-access-token. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
