You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Expected behavior
While this is definitely breaking backwards compatibility, I'm not sure whether the payload is supposed to be wrapped in quotes in the 1st place.
The text was updated successfully, but these errors were encountered:
In RFC 7519 Appendix A.2, the example of a nested JWT takes just the JWS Compact Serialization form (without enclosing in quotes) as the plaintext/message for the JWE. I think that in general, JWS-in-JWE does not need to wrap the JWS in quotes / turn it into a JSON string prior to running the JWE.
The Myinfo v3 spec (v3.2.6) is silent about this detail but the code sample does have an extra JSON parse step as myinfo-gov-client is doing, so that implies that it's required as a Myinfo-specific JWS-in-JWE implementation detail.
Thanks for the reference to the RFC and MyInfo specs.
It seems that the wrapping in quotes was a result of the JSON.stringify(signedPersona) inside encryptPersona of MockPass v4.0.7 which used node-jose, e.g. JSON.stringify('eyJhbGc') => '"eyJhbGc"'.
Tried removing the JSON.stringify() in MockPass v4.0.7 and it yielded the same error as in MockPass v4.3.4 which uses jose. For now, have overridden _decryptJWE() of MyInfoGovClient in my Demo App to cater for both scenarios.
Describe the bug
I am currently working on using MockPass with MyInfo Gov Client in my Demo App.
When calling the
/person
endpoint for MyInfo Personal in MockPass, the JWE from the response cannot be decrypted by MyInfoGovClient, namely_decryptJWE()
in https://github.com/opengovsg/myinfo-gov-client/blob/v4.1.2/src/MyInfoGovClient.class.ts as it assumes the payload is wrapped in quotes and attemptsJSON.parse()
.Traced it to the payload not being wrapped in quotes, due to the switch from
node-jose
tojose
package in MockPass.To Reproduce
Steps to reproduce the behavior:
Use the following function to decrypt the JWE (adapted from
_decryptJWE()
in https://github.com/opengovsg/myinfo-gov-client/blob/v4.1.2/src/MyInfoGovClient.class.ts):Use the above function to decrypt the JWE returned by
encryptPersona()
in v4.3.4 of MockPass, i.e. https://github.com/opengovsg/mockpass/blob/v4.3.4/lib/express/myinfo/controllers.js and an error will occur.Use the above function to decrypt the JWE returned by
encryptPersona()
in v4.0.7 of MockPass, i.e. https://github.com/opengovsg/mockpass/blob/v4.0.7/lib/express/myinfo/controllers.js and the original persona will be returned.Expected behavior
While this is definitely breaking backwards compatibility, I'm not sure whether the payload is supposed to be wrapped in quotes in the 1st place.
The text was updated successfully, but these errors were encountered: