Comment From: jgrandja
@changqing98 The EdDSA algorithm is not specified as a supported algorithm in the JSON Web Algorithms (JWA) spec.
Can you let me know which provider you are using?
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.
Comment From: justincranford
+1
Please reopen and add EdDSA support.
Comment From: justincranford
JWS RFC was published before EdDSA. That is why EdDSA is missing in RFC 7518.
May 2015 https://www.rfc-editor.org/rfc/rfc7519 JSON Web Token (JWT) https://www.rfc-editor.org/rfc/rfc7518 JSON Web Algorithms (JWA)
January 2017 https://www.rfc-editor.org/rfc/rfc8032 Edwards-Curve Digital Signature Algorithm (EdDSA)
EdDSA is an approved signature algorithm in standards like NIST FIPS 140, same as RSA and EC signatures. EdDSA is an improvement over EC. If and when the JWA RFC is updated, EdDSA will be added.
October 2019 https://csrc.nist.gov/publications/detail/fips/186/5/archive/2019-10-31 FIPS 186-5 draft February 2023 https://csrc.nist.gov/publications/detail/fips/186/5/final FIPS 186-5 final
Nimbus Jose+JWT includes EdDSA support. https://connect2id.com/products/nimbus-jose-jwt/examples/jwt-with-eddsa https://www.javadoc.io/doc/com.nimbusds/nimbus-jose-jwt/6.0/src-html/com/nimbusds/jose/JWSAlgorithm.html#line.188
August 2017 https://github.com/felx/nimbus-jose-jwt/blob/master/CHANGELOG.txt EdDSA added in 5.0 (2017-08-24)
Spring Security uses Nimbus Jose+JWT, but uses its own JWSAlgorithms class instead of the one included in Nimbus JOSE-JWT. Please consider adding EdDSA support to Spring Security for use in JWT signatures.
Comment From: fletchgqc
https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
alg="EdDSA"
I agree that this should be included.
Throughout the code, there are various checks like this:
if (jwsAlgorithm instanceof SignatureAlgorithm) {
and SignatureAlgorithm is an enum which only includes a limited selection of algorithms. To work around this, you have to create your own implementation of a bunch of Spring stuff, which my colleague did, but I don't like writing my own security code, so I don't want to use that. It would be nice if Spring Security covered it.