RFC Errata
Found 3 records.
Status: Reported (3)
RFC 7519, "JSON Web Token (JWT)", May 2015
Note: This RFC has been updated by RFC 7797, RFC 8725
Source of RFC: oauth (sec)
Errata ID: 5906
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Erdem Memisyazici
Date Reported: 2019-11-13
Section 7.2 says:
Finally, note that it is an application decision which algorithms may be used in a given context. Even if a JWT can be successfully validated, unless the algorithms used in the JWT are acceptable to the application, it SHOULD reject the JWT.
It should say:
Finally, note that it is an application decision which algorithms may be used in a given context. Even if a JWT can be successfully validated, unless the algorithms used in the JWT are acceptable to the application, it MUST reject the JWT.
Notes:
A vulnerability exists in certain implementations in the wild where applications simply look for valid JWT tokens which includes the "none" algorithm (https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a). A fairly popular library is auth0's java-jwt and at verification (https://github.com/auth0/java-jwt/blob/master/lib/src/main/java/com/auth0/jwt/JWTVerifier.java) quite reasonably you cannot initialize the class without an algorithm. Given all capital SHOULD may be interpreted as a recommendation and as this RFC dictates the algorithm "none" MUST be implemented as a default algorithm under Section 8, one could argue JWTVerifier in the example doesn't have to verifyAlgorithm leading to the vulnerability pointed out in the first article while still complying by the specification. There is no good reason why an algorithm unacceptable to the application must not be rejected as it does more harm than good and all popular library implementations interpret it as such.
Errata ID: 7720
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Timothy Vergenz
Date Reported: 2023-12-01
Section 4.1.6 says:
4.1.6. "iat" (Issued At) Claim The "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.
It should say:
4.1.6. "iat" (Issued At) Claim The "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL. Implementors MUST NOT reject otherwise-valid JWTs with "iat" claims that appear to be from the future; token issuers desiring this behavior may require it by including an "nbf" claim.
Notes:
There is substantial confusion and disagreement among JWT library implementors about whether to reject JWTs with `iat` claims that appear to be from the future due to clock drift. This confusion has led to over half a dozen Github issues & PRs over the years in libraries in many different ecosystems, and lots of strong disagreement among library developers and users.
Based on a sample of the top Google search results for jwt client libraries in 11 different language ecosystems, the majority (7) of the libraries sampled do not reject future `iat` claims, while the remaining 4 *do* reject future `iat` claims by default. Of those 4 who do, *all* of them have had Github issues filed (by different unique users) in which the user was having a JWT unexpectedly rejected by a token validator using the library whose clock had drifted from that of the token issuer enough to trigger `iat`-based rejection.
I propose we update the spec to explicitly prohibit rejection of future-`iat` JWTs (especially since token issuers have always been able to opt into this behavior using an `nbf` claim). Since this RFC has been published and cannot be edited, a new superseding RFC will have to be published and this one deprecated in order for the suggested change to make it out of the errata and into an actual RFC doc.
I'm not sure if this merits a full RFC republish -- but as a data point for impact consideration, it's worth noting that this confusion has almost certainly wasted at least multiple hours per person (on average) of *dozens* of developers' time over the years, and led to at least half a dozen production bugs that I've seen mentioned. One of these bugs cropped up in my own organization on 2023-11-31 and has been observed previously but was misunderstood and not resolved; the 2023-11-31 occurence involved 10+ people in discussion. One Github issue I saw described an elongated full web server outage attributed to this confusion which cropped up during a leap-second-related clock drift issue. I'm filing this errata request on calendar day 3+ of discussing this issue in my organization (if you include past times this issue has cropped up).
Thanks for your consideration! I look forward to hearing back.
Errata ID: 8060
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Pieter Kasselman
Date Reported: 2024-07-31
Section 7.2 says:
5. Verify that the resulting JOSE Header includes only parameters
and values whose syntax and semantics are both understood and
supported or that are specified as being ignored when not
understood.
It should say:
5. Verify that the resulting JOSE Header includes only parameters
and values whose syntax and semantics are both understood and
supported or that are specified as being ignored when not
understood. If the JWT is a JWS, the steps specified in
RFC7515 takes precedence when validating JOSE Header parameters.
Notes:
Validation step 5 in section 7.2 of RFC 7519 states that header parameters should only be ignored if they are explicitly specified as needing to be ignored.
This is contrary to step 7 in section 7.2 which requires that the processing rules of RFC 1515 be used if the JWT is a JWS (defined in RFC 1515). RFC 7515 does not include any special provisions for only ignoring header parameters if they are specified as being ignored, but instead requires all header parameters to be ignored if they are not understood (repeated below for convenience).
"Unless listed as a critical Header Parameter, per
Section 4.1.11, all Header Parameters not defined by this
specification MUST be ignored when not understood."
A discussion with the authors at IETF 120 confirmed that all header parameters that are not understood must be ignored.
The proposed errata aims to clarify that if the JWT is a JWS, the processing rules of RFC 7151 should apply (including ignoring header parameters that are not understood). This is consistent with point 7.2, which requires that RFC 7515 [JWS] rules applies and avoids the impression that a new requirement on when parameters are ignored is being introduced in (i.e. the need to be explicitly defined as needing to be ignored).