Generated JWT using,
http://kjur.github.io/jsjws/tool_jwt.html

But, unable to verify the same using secret,
http://jwt.io/

You have a (very small ) bug in your code:

https://github.com/kjur/jsjws/blob/master/jws-3.0.js#L405-406

if (! ns1.isSafeJSONString(sHeader))
throw "JWS Head is not safe JSON string: " + sHead;

sHead should be sHeader?

Grtz

https://github.com/kjur/jsjws/blob/master/jws-3.0.js#L505

to prevent timing attacks.

Hi Kjur,

sorry to contact you here, wasn't able to find email.

Just to add 2 libraries which covers full suite of algorithms to compassion sheet you are maintaining at: http://kjur.github.io/jsjws/index_mat.html

1. https://bitbucket.org/b_c/jose4j/wiki/Home (Java)
2. https://github.com/dvsekhvalnov/jose-jwt (C#)

Hi. You have a mistake in jws 3.1. sHead variable does not exist.

KJUR.jws.JWS.sign = function(alg, sHeader, sPayload, key, pass) {
    var ns1 = KJUR.jws.JWS;

    if (! ns1.isSafeJSONString(sHeader))
    throw "JWS Head is not safe JSON string: " + sHead;

I haven't dug into this implementation yet because failure to retain secrecy of the remote client's private key material would be a non-starter for my particular use case and I'm curious to know if this is worth looking into further.

How in the world would you process the private key without loading it into the browser and therefore make it accessible to anyone eavesdropping in that browser's Dev Tools, thereby making the client's private key public knowledge to anyone with access to their browser?

The wiki appears to be empty and hence no tutorial

I tried the sampley but they don't work. Neither with the example token from http://tools.ietf.org/html/draft-jones-json-web-signature-04#appendix-A.2 nor with a token and public key from our authentication server. Can somebody determine what the problem is?

Sorry for my ignorant question. But assuming I buld at HTML page using JSON/JSJWS. The values I want to encrypt are in the JSON, in the HTML.

So, I then encrypt before sending, so great, http traffic is encrypted. But, if someone looked at html source, wouldn't they see original values?

Hi,
in both files (full and min) in version 3.0 there is an error:

KJUR.jws.JWS.sign = function(alg, sHeader, sPayload, key, pass) {
    var ns1 = KJUR.jws.JWS;

    if (! ns1.isSafeJSONString(sHeader))
    throw "JWS Head is not safe JSON string: " + sHead;

the "sHead" should be "sHeader", the same goes to min file there should be "p" instead of "sHead"

Generate the default value from http://kjur.github.io/jsjws/tool_jwt.html:

Without a signature it generates:
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL2p3dC1pZHAuZXhhbXBsZS5jb20iLCJzdWIiOiJtYWlsdG86bWlrZUBleGFtcGxlLmNvbSIsIm5iZiI6MTQxNTEwNDAxOSwiZXhwIjoxNDE1MTA3NjE5LCJpYXQiOjE0MTUxMDQwMTksImp0aSI6ImlkMTIzNDU2IiwidHlwIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9yZWdpc3RlciJ9.

It self validates fine.... and at jwt.io.

Changing to hmac256 with the defaults does not seem to be signed correctly when pasted into jwt.io.

I haven't tried further, in case I'm doing something else wrong in the process. If you can confirm this should function, I'll start looking at the code for the source of the issue.

Hello, I am evaluating this library for use in a project. My project requires Internet Explorer 8 support, but the samples (http://kjur.github.io/jsjws/tool_jwt.html and http://kjur.github.io/jsjws/sample_generate.html) do not work in IE8. What versions of IE does jsjws support?

Hey, maintainer(s) of kjur/jsjws!

We at VersionEye are working hard to keep up the quality of the bower's registry.

We just finished our initial analysis of the quality of the Bower.io registry:

7530 - registered packages, 224 of them doesnt exists anymore;

We analysed 7306 existing packages and 1070 of them don't have bower.json on the master branch ( that's where a Bower client pulls a data ).

Sadly, your library kjur/jsjws is one of them.

Can you spare 15 minutes to help us to make Bower better?

Just add a new file bower.json and change attributes.

{
  "name": "kjur/jsjws",
  "version": "1.0.0",
  "main": "path/to/main.css",
  "description": "please add it",
  "license": "Eclipse",
  "ignore": [
    ".jshintrc",
    "**/*.txt"
  ],
  "dependencies": {
    "<dependency_name>": "<semantic_version>",
    "<dependency_name>": "<Local_folder>",
    "<dependency_name>": "<package>"
  },
  "devDependencies": {
    "<test-framework-name>": "<version>"
  }
}

Read more about bower.json on the official spefication and nodejs semver library has great examples of proper versioning.

NB! Please validate your bower.json with jsonlint before commiting your updates.

Thank you!

Timo,
twitter: @versioneye
email: [email protected]
VersionEye - no more legacy software!

I'm trying this sample and it is erroring out:

Is this project still active?

Currently I get the old site (http://kjur.github.io/jsjws/tool_b64udec.html) when searching "base64url decode" in Google. It would be greatly appreciated if visitor can be redirected from http://kjur.github.io/jsjws/tool_b64udec.html to http://kjur.github.io/jsrsasign/tool_b64udec.html now that the former is not maintained anymore.

Any plans to support private keys in PCKS#8 format?

Hello, I have cloned this repo and am trying to run the unit tests locally. The following files contain failing unit tests:

• qunit-do-jws-sign.html
• qunit-do-jws-intdate.html

These tests fail on the latest Chrome, Firefox and Safari.

https !== http

please update you resources!

This code for decoding a token is directly taken from the demo on the website:

  var a = currentToken.split(".");
  var uHeader = b64utos(a[0]);
  var uClaim = b64utos(a[1]);
  var pHeader = KJUR.jws.JWS.readSafeJSONString(uHeader);
  var pClaim = KJUR.jws.JWS.readSafeJSONString(uClaim);

Problem here is that readSafeJSONString always returns null for a valid json (checked in json lint). I am using it with

  'vendor/jsrsasign/jsrsasign-4.1.4-all-min.js',
  'vendor/jsjws/jws-3.0.min.js'

Any ideas?

Using you library and trying to verify a signed token using

    var sJWS = "the token"
    var sPemX509Cert = "-----BEGIN CERTIFICATE----- etc"
    var jws = new KJUR.jws.JWS();
    var result = jws.verifyJWSByPemX509Cert(sJWS, sPemX509Cert);

The console throws the following error:

TypeError: this.isSafeJSONString is not a function
    at parseJWS (http://localhost:8100/lib/jsjws/jws-3.2.js:115:13)
    at verifyJWSByPemX509Cert (http://localhost:8100/lib/jsjws/jws-3.2.js:203:7)
    ...

I solved creating the mentioned function (from your source code, jws-3.2.js):

    //variables
    var jws = new KJUR.jws.JWS();
    jws.isSafeJSONString = function(s, h, p) {
        var o = null;
        try {
        o = jsonParse(s);
        if (typeof o != "object") return 0;
        if (o.constructor === Array) return 0;
        if (h) h[p] = o;
        return 1;
        } catch (ex) {
        return 0;
        }
    };
    var result = jws.verifyJWSByPemX509Cert(sJWS, sPemX509Cert);

My header string is being passed as:

'{"alg": "HS256", "cty": "JWT"}'

which is pasted directly from one of the jsjws tests, AND validates just fine in JSONlint and every other parser I have found, What is meant by "safe" JSON string in this instance?

In file index_mat.html we can read that PHP Akita JOSE implements ES256, ES384 and SC512.

This is wrong. In the source code of this library, there is no implementation of such algorithm.

asn1x509-1.0.js defines subjectKeyIdentifier twice which produces the following warning in Node:

Warning: asn1x509-1.0.js:1810
        'subjectKeyIdentifier': '2.5.29.14',
        ^^^^^^^^^^^^^^^^^^^^^^
Duplicate data property in object literal not allowed in strict mode Use --force to continue.

Removing one of the occurrences fixes it.

The demos don't use jws 3.0 so for example ES384 seems to not work.

I'm also getting a

Error: TypeError: Cannot read property 'bitLength' of undefined

when using the demo with one of the ES384 test vectors. The library should be more robust against these kinds of errors. The test vectors:

https://github.com/kjur/jsjws/blob/master/test/qunit-do-jws-sign.html#L394

-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEVDUmq9/Ec5Sj8mRbDUhlGp86TUbYdAvj
IpFRB/BQJQxzDKQLN+HcheCCtLsYG4hHvW0Poni65escBUdMmk4r7sKMlwvknBlJ
8J6Wl5onelFIMOMqW53h7GirmfSS3TAK
-----END PUBLIC KEY-----

and

eyJhbGciOiJFUzM4NCIsICJjdHkiOiJKV1QifQ.eyJhZ2UiOiAyMX0.ImFmrFvzlyl-BGHz8sdD6we6T1uCL5d6Q-oCWmDSh-q8eSL1bxPix7XZjxZGYJySw1On974Vw2NmzffgXvDPk7Ayvau0_fp0v4KUh4x6RcGKZDQgXVli1mfrGKTFP37C

https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/

This looks like it's exactly what I need, but there seems to be almost no documentation. There's the API docs, sure, but nothing else. Readme is barebone, and the tutorials link directs to an empty wiki. I tried reading the code on the site, but either I have version or dependency issues.

Some questions:

• What dependencies are required?
• What is the relation between jsjws and jsrasign? jsjws seems to depend on jsrasign, but why it then the former included in the install of the latter?
• Basic working examples would be nice, for a recent version. The stuff I got from the demos page seems outdated, or at least didn't work for me.
• Basically a how-to is missing
• What's the difference of readSafeJSONString wrt JSON.parse?