Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Fix bug when sign JWT on Android platform #193

Closed
wants to merge 2 commits into from
Closed

Fix bug when sign JWT on Android platform #193

wants to merge 2 commits into from

Conversation

laurentyhuel
Copy link

@laurentyhuel laurentyhuel commented Aug 10, 2017
edited
Loading

Fix bug #131 , #191, #185 : cannot sign JWT on Android platform.
I choose reflection to check if code is execute on Android platform why:

  1. Because not need to embed a new library for instance:
    dependencies {
    compileOnly "com.google.android:android:4.1.1.4"
    }
  2. Because it seems the more secure way to check if code is execute on Android platform
    It' also possible to get platform with System.getProperty() : https://stackoverflow.com/questions/4519556/how-to-determine-if-my-app-is-running-on-android
    but result could differ depends on os version, manufacturer, ...

@lbalmaceda
Copy link
Contributor

Ughh!
Thanks for the PR. Personally, I don't like the use of reflection as it's too hacky and may break without us noticing. In addition, I don't think those 3 issues you mention are "bugs" because we decided up-front that this library was meant to be used on Java-only environments, leaving a side Android which has its own decode library here. As mentioned in one of the issues, there's no need for you to sign or even verify a token from the Android client side. You should trust your server and its implementation. What's your use case?

@laurentyhuel
Copy link
Author

Our use case:
On android device, we receive a oauth token from few 3rd party OAuth servers (partners).
Android create a JWT with this oauth token and other properties.
Android call our server with JWT.
Our server get oauth otken from JWT.
Our server check oauth token to a 3rd party OAuth servers (partners).

So yes, you need to sign JWT on Android (it's not just for the fun).

I'm agree with you reflection, is not sexy, but in this case it seems to be the more robust way to do it.

I could add unit tests to coverage this part.

@lbalmaceda
Copy link
Contributor

There's no way to keep the secret/private_key secure in Android (anyone can see/modify it) so what's the point in signing the JWT? Ok, you could make the server use the public_key (in the case of HMAC) to verify the incoming signature, but even then anyone can sign tokens with your private_key as you're keeping it on the device, meaning your server would trust anything blindfolded. The tokens must always be signed on the server.
If you just want to use a JWT to wrap all the third-party tokens then that's just a JSON, the same as doing a post with a JSON body to your server with each token in a property or even an array of tokens.

@lbalmaceda lbalmaceda closed this Oct 17, 2017
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@laurentyhuel @lbalmaceda