fix: accept non-string values in Header extras#496
Closed
kp-timo-beyel wants to merge 1 commit into
Closed
Conversation
…ing, serde_json::Value> The `extras` field on `Header` used `HashMap<String, String>`, which caused `decode_header` and `decode` to fail when the JWT header contained non-string values (e.g. `"uid": 180444`). Since JOSE headers can legitimately carry arbitrary JSON values in custom fields, this changes the type to `HashMap<String, serde_json::Value>` so that integers, booleans, arrays, and objects are accepted. This is a breaking change for consumers that read from `Header.extras` directly — they now receive `serde_json::Value` instead of `String`. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
kageiit
added a commit
to gitarcode/clerk-rs
that referenced
this pull request
May 12, 2026
Clerk recently started adding `cat` (string) and `oiat` (integer) fields to JWT headers. jsonwebtoken v10's Header.extras uses HashMap<String, String> which rejects non-string values, causing all JWT validation to fail with deserialization errors. Fix: use gitarcode/jsonwebtoken fork with HashMap<String, serde_json::Value> for extras (upstream PR Keats/jsonwebtoken#496). Also cherry-picks upstream clerk-rs PR DarrenBaldwin07#282 (jsonwebtoken 10) and PR DarrenBaldwin07#280 (nbf optional).
kageiit
added a commit
to gitarcode/clerk-rs
that referenced
this pull request
May 12, 2026
Clerk recently started adding `cat` (string) and `oiat` (integer) fields to JWT headers. jsonwebtoken v10's Header.extras uses HashMap<String, String> which rejects non-string values, causing all JWT validation to fail with deserialization errors. Fix: use gitarcode/jsonwebtoken fork with HashMap<String, serde_json::Value> for extras (upstream PR Keats/jsonwebtoken#496). Also cherry-picks upstream clerk-rs PR DarrenBaldwin07#282 (jsonwebtoken 10) and PR DarrenBaldwin07#280 (nbf optional). Co-authored-by: Gautam Korlam <gautam@gitar.ai>
4 tasks
Collaborator
|
Done in #512 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Header.extrasfromHashMap<String, String>toHashMap<String, serde_json::Value>decode_header/decodenow accept JWT headers with non-string custom fields (e.g."uid": 180444)Problem
When a JWT header contains a non-standard field with a non-string value such as:
{"typ": "JWT", "alg": "RS256", "kid": "...", "uid": 180444}decode_headerfails with a deserialization error because serde cannot coerce the integer180444into aStringfor the#[serde(flatten)] pub extras: HashMap<String, String>field.JOSE headers can legitimately carry arbitrary JSON values in custom fields, so the
extrasmap should accept any JSON value.Fix
Change the type of
Header.extrasfromHashMap<String, String>toHashMap<String, serde_json::Value>.Breaking change
Consumers that read from
Header.extrasdirectly now receiveserde_json::Valueinstead ofString. For string extras,.as_str().unwrap()(or pattern matching) is needed:Test plan
decode_token_with_non_string_extra_headerverifies integer header values are accepted