JSON parser for JWT header too restrictive

[chschu]

When decoding the JWT header, the input is converted Map<String, String> using string operations. This simple parser fails with an ArrayIndexOutOfBoundsException if the header value contains a comma.

The JWT header parser should be able to handle any JSON object, even if most of the fields are ignored for verification.

[dsyer]

How would a comma arrive in a JWT header? If we have a realistic idea of the scope we can prioritize this a bit better.

[chschu]

In my case it was a private claim (RFC 7519, Section 4.3) containing a list of roles. I would have preferred to use a JSON array of strings for that, but that didn't work. So I tried a single comma-separated string, which failed with the exception mentioned above. I finally worked around the issue using a different separator character.

RFC 7519 doesn't put any restrictions on private claim values. There are some type constraints on the registered claims (Section 4.1), but even they may contain commas.