The RS256 example does not work in Godot 3.3.4.
The CryptoKey class is missing the functions "save_to_string" and "load_from_string"

public_key.load_from_string(private_key.save_to_string(true))

Still, thanks for your work so far!

I am getting the error Invalid set index 'parts' pointing to this line.

It appears that the parts variable was perhaps renamed to _parts but the usages were not updated?

EDIT: It looks to me like a lot of variables were renamed without their usage updated. It might be good to perform a test run on this code once before merging PRs? 😅

P.S. I made a PR that gets it working again. Hope this helps, and again, thank you for all of the excellent work going on here!

Feature request

I'm writing an app that uses OAuth 2.0 for user login, and I'd like to verify the JWT tokens returned by the authentication server, but there doesn't seem to be a way to validate signatures using JWKS... am I missing something?

Bug report

There are a number of function parameter names that shadow already-declared variable names, e.g.

W 0:03:38:0605   The local function parameter "leeway" is shadowing an already-declared variable at line 6.
  <GDScript Error>SHADOWED_VARIABLE
  <GDScript Source>JWTVerifierBuilder.gd:36

This isn't a bug per-se, but it can "lead to confusion, as it may be unclear which variable subsequent uses of the shadowed variable name refer to..."

PR forthcoming

Much improvements were handled and implemented by some contributors.
The 3.x branch could benefit from these changes too.

Bug report

Unable to verify the aud claim.

Describe the bug

In a JWT, the aud claim is an array.

JWT creation using JWTBaseBuilder treats the array as a PackedStringArray

func with_audience(audience: PackedStringArray) -> JWTBaseBuilder:

So does JWTVerifierBuilder:

func with_any_of_audience(audience: PackedStringArray) -> JWTVerifierBuilder:

However, the _parse_json function in JWTDecoder will treat incoming aud claims as Array. This makes verification impossible because of an error in assert_claim_values:

Invalid operands 'Array' and 'PackedStringArray' in operator '=='.

To Reproduce

# This stuff needs to be configured
var alg : JWTAlgorithm
var jwt : String

var jwt_verifier: JWTVerifier = JWT.require(alg) \
    .with_audience(["expected audience"]) \
    .build()

if jwt_verifier.verify(jwt) != JWTVerifier.JWTExceptions.OK :
    print(jwt_verifier.exception)

Expected behavior

Expectation is that the verification either succeeds or fails.

Screenshots

System information

• OS: macOS

in JWTDecoder.gd:

func _init(jwt: String):
	self.parts = jwt.split(".")
	var header: PoolByteArray = JWTUtils.base64URL_decode(self.parts[0])
	var payload: PoolByteArray = JWTUtils.base64URL_decode(self.parts[1])
	self.header_claims = _parse_json(header)
	self.payload_claims = _parse_json(payload)

func _parse_json(field) -> Dictionary:
	var parse_result: JSONParseResult = JSON.parse(field)
	if parse_result.error != OK:
		return {}
	return parse_result.result

JSON.parse(field) field should be a string according to godot docs, but here a PoolByteArray is passed instead

Bug report

Describe the bug

The JWTVerifier::verify_claims_values function has the following block for verifying issuers, and does not take into account that the expected claim could be a PackedStringArray of issuers where only one must match.

JWTClaims.Public.ISSUER:
	if not jwt_decoder.get_issuer() == expected_claims.get(claim):
		self.exception = "The Claim 'iss' value doesn't match the required issuer."
		return false

To Reproduce

	var jwt_verifier: JWTVerifier = (
		JWT
		. require(<an algorithm>)
		. with_any_of_issuers(["issuer a", "issuer b"])
		. build()
	)

	if jwt_verifier.verify(<a jwt>) != JWTVerifier.JWTExceptions.OK:
		print(jwt_verifier.exception)
		return false

This will crash with Invalid operands 'String' and 'PackedStringArray' in operator '==' because the iss claim in the JWT is actually a string, but even if that gets fixed the == comparison will require all issuers specified, not any issuer specified.

In AlgorithmBuilder.gd
the func RSA256 doesnt set algorithm type.

But aside from that!
Thank you alot for this useful plugin!!!

Hello, I followed the readme's insturctions on creating HS256 token and created these functions:

static func dict_to_jwt(data: Dictionary = {}) -> String:
	var secret: String = JWTAlgorithmBuilder.random_secret()
	var jwt_algorithm: JWTAlgorithm = JWTAlgorithmBuilder.HS256(secret)
	var jwt_builder: JWTBuilder = JWT.create() \
	.with_expires_at(Time.get_unix_time_from_system()) \
	.with_issuer("Godot") \
	.with_payload(data)
	var jwt: String = jwt_builder.sign(jwt_algorithm)
	return jwt

static func verify_jwt(jwt: String, secret: String) -> bool:
	var jwt_algorithm: JWTAlgorithm = JWTAlgorithmBuilder.HS256(secret)
	var jwt_verifier: JWTVerifier = JWT.require(jwt_algorithm) \
		.build() # Reusable Verifier
	var is_valid = jwt_verifier.verify(jwt) == JWTVerifier.JWTExceptions.OK
	if !is_valid:
		print(jwt_verifier.exception)
	return is_valid

But I get an error in verify_jwt saying The provided Algorithm doesn't match the one used to sign the JWT.
even though I used the same algorithem
Godot version: v4.1.3.stable.official [f06b6836a]
I used the code from the main godot 4 branch

Many tools online only require the public key to verify the JWT signature
example: https://developer.pingidentity.com/en/tools/jwt-decoder.html

In the documentation section of this addon to Verify RS256 JWT:

var private_key: CryptoKey = CryptoKey.new()
var public_key: CryptoKey = CryptoKey.new()
private_key.load_from_string("<your private key PEM string>", false)
public_key.load_from_string("<your public key PEM string>", true)

var jwt: String = "<a jwt>"
var jwt_algorithm: JWTAlgorithm = JWTAlgorithmBuilder.RS256(public_key)
var jwt_verifier: JWTVerifier = JWT.require(jwt_algorithm) \
    .with_claim("id","someid") \
    .build() # Reusable Verifier
if jwt_verifier.verify(jwt) == JWTVerifier.JWTExceptions.OK :
	print("Verified!")
else:
	print(jwt_verifier.exception)

How can I skip verifying the algorithm here JWT.require(jwt_algorithm) ? I only need to verify the signature and claims.