Decoding a Secured Token

[naphtul]

Hello,

I am trying to implement version 3.0.2.
This line:

jose/src/jwt/unsecured.ts

Line 86 in 2276f5a

if (length !== 3 || signature !== '') {

is creating a chicken and egg situation for me, as my token has a signature.
I used to decode the secured token first, get its type (id or access) and then verify it accordingly (with id token I would also verify the audience).

Maybe my approach was wrong to begin with.
Your advice is appreciated.

Thank you!
Naphtali

[panva]

Hi @naphtul

as my token has a signature

Then it is not an Unsecured JWT, in which case, it's not intended to be decoded by this particular API.

In v3.x i intentionally left out the affordance to decode arbitrary signed token for a number of reasons

1. it has been the reason for a number of complaints in other security tokens oriented repositories
2. i don't believe it's that complex to implement, e.g.

import { decode } from 'jose/util/base64url'

const textDecoder = new TextDecoder()

JSON.parse(textDecoder.decode(decode(jwt.split('.')[1])))

Putting the above aside.

I used to decode the secured token first, get its type (id or access) and then verify it accordingly (with id token I would also verify the audience).

Now this is protocol/application specific, but each of those token types has their uses and you arguably know upfront which one is expected in a particular context, context is what gives you the means to verify without needing to look into its contents first.

[naphtul]

Thank you!