In version 3.1.0 System.OverflowException is thrown if kid header is set to long

[isenmann]

Since version 3.1.0 an OverflowException is thrown because the kid header is set to a long value. In version 3.0.0 this works. The exception is the following:

at System.Convert.ThrowInt32OverflowException()
at System.Convert.ToInt32(Int64 value)
at Jose.NestedDictionariesConverter.ReadJson(JsonReader reader, Type objectType, Object existingValue, JsonSerializer serializer)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.DeserializeConvertable(JsonConverter converter, JsonReader reader, Type objectType, Object existingValue)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateDictionary(IDictionary dictionary, JsonReader reader, JsonDictionaryContract contract, JsonProperty containerProperty, String id)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.Populate(JsonReader reader, Object target)
at Newtonsoft.Json.Converters.CustomCreationConverter`1.ReadJson(JsonReader reader, Type objectType, Object existingValue, JsonSerializer serializer)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.DeserializeConvertable(JsonConverter converter, JsonReader reader, Type objectType, Object existingValue)
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.Deserialize(JsonReader reader, Type objectType, Boolean checkAdditionalContent)
at Newtonsoft.Json.JsonSerializer.DeserializeInternal(JsonReader reader, Type objectType)
at Newtonsoft.Json.JsonConvert.DeserializeObject(String value, Type type, JsonSerializerSettings settings)
at Newtonsoft.Json.JsonConvert.DeserializeObject[T](String value, JsonConverter[] converters)
at Jose.JWT.Headers(String token, JwtSettings settings)

Our token is generated like this:

var privateKey = _decryptionService.GetPrivateKey();
var headers = new Dictionary<string, object>
{
     {"typ", "JWT"},
     {"kid", id}      // **THIS id IS A LONG VALUE**
};
var payload = new Dictionary<string, object>
{
     {"sub", id},    // **THIS id IS A LONG VALUE**
     {"iss", "JustAName"},
     {"iat", DateTimeOffset.UtcNow.ToUnixTimeSeconds() },
     {"exp", DateTimeOffset.UtcNow.AddMinutes(30).ToUnixTimeSeconds() }
};

using (var rsa = RSA.Create())
{
     rsa.FromXml(privateKey);
     token = JWT.Encode(payload, rsa, JwsAlgorithm.RS256, headers);
}

According to the changes to NewtonSoftMapper.cs the value is converted to Int32 here and we didn't find any restriction in the RFC that the kid header is limited to Int32.

Do we miss something here?

Thanks for any information.

Cheers
Daniel

[isenmann]

Just as an additional information, the exception is thrown if we try to read the headers from the token with
var headers = JWT.Headers(token);
and not at the JWT.Encode call.

Maybe that wasn't completely clear from the above code and description.

[dvsekhvalnov]

Thanks @isenmann , i'll take a look. Seems newtonsoft changes broke some things.

[dvsekhvalnov]

@isenmann fix 31ca217

i'll publish v3.1.1 as soon as i fix another newtonsoft related defect.

[dvsekhvalnov]

@isenmann , please find it on nuget https://www.nuget.org/packages/jose-jwt/3.1.1
(or https://github.com/dvsekhvalnov/jose-jwt/releases/tag/v3.1.1)

Would appreciate if you can try it and come back with feedback so we can close issue.

Also i'd probably try to get rid of newtonsoft in v3.2 in favor of System.Text.Json (aka #130) for netcore 3+. May be something to watch out for.

[isenmann]

Thanks for the new version, I will try it and give you feedback as soon as possible....
Looking forward to the change to System.Text.Json!

[isenmann]

My integration tests work without any problem, so your fix resolved the issue. Thanks for the fast fix and keep up the good work!