Hey all,

From the docs:

requiredClaims: An array of strings containing which claims should exist in the token. By default, no claim is marked as required.

We assumed that all claims would be checked, including custom ones, but it seems that only a fixed subset are being validated. Any custom claims or standard claims not in the hardcoded list of claims (such as kid) do not appear to be validated.

Personally, I think either the docs should be clarified or support for this implemented, as it's a potential security issue if people are assuming these extra claims are being checked when they aren't.

Thanks
Kieran

Thanks for reporting this. I see what you mean, we only check the required claims against a static list of validators, so if you provide any required claims that are not in that list (e.g. custom claims) they don't be checked. Would you be interested in submitting a PR for this?

We could have a go - would you be able to send a few bullet points with guidance on how you would approach it? Thanks

Sure thing. You can see that the array of validators of claims is composed here. Then you can see that the required claims are checked here, but only in the scope of each specific validator, meaning that if you're asking to check a claim which is not among those supported by the validators, it will never be checked. I'm not sure to be honest if this was the intended logic, but I can understand that it can be misleading.

Submitted here: https://github.com/nearform/fast-jwt/pull/423/files

🎉 This issue has been resolved in version 4.0.0 🎉

The release is available on:

• npm package
• GitHub release

Your optic bot 📦🚀