jwt 2.10.1 → 3.0.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dcc16f3a25f01facd96faaf83722fd6d45e2a2fa80539e68727cee1a6df71cc1
-  data.tar.gz: 241e7ef393bd3c40356e730466e32d45bc63f0d4e9983d2c40c7bef2424334fa
+  metadata.gz: 30b9373b7591af7e5e8ba0f049a2d41bc87afe0ea21462bd011f9558ec45e892
+  data.tar.gz: d5e77784a5eda9bae03f7bed74dabcfa81db1720057f742787c723d679d1005c
 SHA512:
-  metadata.gz: dffc0046d44c6a5d03538bbd9f0870da9142873ea5ffbb186ccfd339324d3e4c0c1f2e104c668f819047f54573717cd396b1bf8cb96a9a971cf02f6151100bfe
-  data.tar.gz: d86d34077d0fe9d760d72bd176262fafedcea294dada4e95f33b2a0bbeb9995f8e9e3f8d6225cff3cdd480d981dfa40da396683a662cdabc9410266fbde0709f
+  metadata.gz: eafdd62f2eb9c35d2a27bf0429a866dd6f54b56c2650c373185f1c3e53ce08e06d03e5d8baba934493ea615cc9b86038d93a634509e5d932fdcbc91d669310e9
+  data.tar.gz: 68b004a6d858e2bfb78ba41017b19ec37b0dbed43525f63b9a743111f6d2f26eb4aea7a61ff2d2774645c504021d34ee8296cf342f36af97c426e96690ec08d7

data/CHANGELOG.md

@@ -1,10 +1,39 @@
 # Changelog
 
+## [v3.0.0](https://github.com/jwt/ruby-jwt/tree/v3.0.0) (NEXT)
+
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.10.1...main)
+
+**Breaking changes:**
+- Require token signature to be verified before accessing payload [#648](https://github.com/jwt/ruby-jwt/pull/648) ([@anakinj](https://github.com/anakinj))
+- Drop support for the HS512256 algorithm [#650](https://github.com/jwt/ruby-jwt/pull/650) ([@anakinj](https://github.com/anakinj))
+- Remove deprecated claim verification methods [#654](https://github.com/jwt/ruby-jwt/pull/654) ([@anakinj](https://github.com/anakinj))
+- Remove dependency to rbnacl [#655](https://github.com/jwt/ruby-jwt/pull/655) ([@anakinj](https://github.com/anakinj))
+- Support only stricter base64 decoding (RFC 4648) [#658](https://github.com/jwt/ruby-jwt/pull/658) ([@anakinj](https://github.com/anakinj))
+- Custom algorithms are required to include `JWT::JWA::SigningAlgorithm` [#660](https://github.com/jwt/ruby-jwt/pull/660) ([@anakinj](https://github.com/anakinj))
+- Require RSA keys to be at least 2048 bits [#661](https://github.com/jwt/ruby-jwt/pull/661) ([@anakinj](https://github.com/anakinj))
+- Base64 encode and decode the k value for HMAC JWKs [#662](https://github.com/jwt/ruby-jwt/pull/662) ([@anakinj](https://github.com/anakinj))
+
+Take a look at the [upgrade guide](UPGRADING.md) for more details.
+
+**Features:**
+- JWT::EncodedToken#verify! method that bundles signature and claim validation [#647](https://github.com/jwt/ruby-jwt/pull/647) ([@anakinj](https://github.com/anakinj))
+- Do not override the alg header if already given [#659](https://github.com/jwt/ruby-jwt/pull/659) ([@anakinj](https://github.com/anakinj))
+- Make `JWK::KeyFinder` compatible with `JWT::EncodedToken` [#663](https://github.com/jwt/ruby-jwt/pull/663) ([@anakinj](https://github.com/anakinj))
+- Your contribution here
+
+**Fixes and enhancements:**
+
+- Ruby 3.4 to CI matrix [#649](https://github.com/jwt/ruby-jwt/pull/649) ([@anakinj](https://github.com/anakinj))
+- Your contribution here
+
 ## [v2.10.1](https://github.com/jwt/ruby-jwt/tree/v2.10.1) (2024-12-26)
 
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.10.0...v2.10.1)
+
 **Fixes and enhancements:**
 
-- Make version constants public again [#646](https://github.com/jwt/ruby-jwt/pull/646) ([@anakinj]
+- Make version constants public again [#646](https://github.com/jwt/ruby-jwt/pull/646) ([@anakinj](https://github.com/anakinj))
 
 ## [v2.10.0](https://github.com/jwt/ruby-jwt/tree/v2.10.0) (2024-12-25)
 

data/README.md

@@ -14,25 +14,7 @@ See [CHANGELOG.md](CHANGELOG.md) for a complete set of changes.
 
 ## Upcoming breaking changes
 
-Notable changes in the upcoming **version 3.0**:
-
-- The indirect dependency to [rbnacl](https://github.com/RubyCrypto/rbnacl) will be removed:
-  - Support for the non-standard SHA512256 algorithm will be removed.
-  - Support for Ed25519 will be moved to a [separate gem](https://github.com/anakinj/jwt-eddsa) for better dependency handling.
-
-- Base64 decoding will no longer fallback on the looser RFC 2045.
-
-- Claim verification has been [split into separate classes](https://github.com/jwt/ruby-jwt/pull/605) and has [a new api](https://github.com/jwt/ruby-jwt/pull/626) and lead to the following deprecations:
-  - The `::JWT::ClaimsValidator` class will be removed in favor of the functionality provided by `::JWT::Claims`.
-  - The `::JWT::Claims::verify!` method will be removed in favor of `::JWT::Claims::verify_payload!`.
-  - The `::JWT::JWA.create` method will be removed.
-  - The `::JWT::Verify` class will be removed in favor of the functionality provided by `::JWT::Claims`.
-  - Calling `::JWT::Claims::Numeric.new` with a payload will be removed in favor of `::JWT::Claims::verify_payload!(payload, :numeric)`.
-  - Calling `::JWT::Claims::Numeric.verify!` with a payload will be removed in favor of `::JWT::Claims::verify_payload!(payload, :numeric)`.
-
-- The internal algorithms were [restructured](https://github.com/jwt/ruby-jwt/pull/607) to support extensions from separate libraries. The changes lead to a few deprecations and new requirements:
-  - The `sign` and `verify` static methods on all the algorithms (`::JWT::JWA`) will be removed.
-  - Custom algorithms are expected to include the `JWT::JWA::SigningAlgorithm` module.
+Check out breaking changes in the upcoming **version 3.0** from the [upgrade guide](UPGRADING.md)
 
 ## Sponsors
 
@@ -189,49 +171,18 @@ decoded_token = JWT.decode(token, ecdsa_key, true, { algorithm: 'ES256' })
 puts decoded_token
 ```
 
-### **EDDSA**
-
-In order to use this algorithm you need to add the `RbNaCl` gem to you `Gemfile`.
-
-```ruby
-gem 'rbnacl'
-```
-
-For more detailed installation instruction check the official [repository](https://github.com/RubyCrypto/rbnacl) on GitHub.
-
-* ED25519
-
-```ruby
-private_key = RbNaCl::Signatures::Ed25519::SigningKey.new('abcdefghijklmnopqrstuvwxyzABCDEF')
-public_key = private_key.verify_key
-token = JWT.encode payload, private_key, 'ED25519'
-
-# eyJhbGciOiJFRDI1NTE5In0.eyJkYXRhIjoidGVzdCJ9.6xIztXyOupskddGA_RvKU76V9b2dCQUYhoZEVFnRimJoPYIzZ2Fm47CWw8k2NTCNpgfAuxg9OXjaiVK7MvrbCQ
-puts token
+### **EdDSA**
 
-decoded_token = JWT.decode token, public_key, true, { algorithm: 'ED25519' }
-# Array
-# [
-#  {"test"=>"data"}, # payload
-#  {"alg"=>"ED25519"} # header
-# ]
-
-```
+This algorithm has since version 3.0 been moved to the [jwt-eddsa](https://rubygems.org/gems/jwt-eddsa) gem.
 
 ### **RSASSA-PSS**
 
-In order to use this algorithm you need to add the `openssl` gem to your `Gemfile` with a version greater or equal to `2.1`.
-
-```ruby
-gem 'openssl', '~> 2.1'
-```
-
 * PS256 - RSASSA-PSS using SHA-256 hash algorithm
 * PS384 - RSASSA-PSS using SHA-384 hash algorithm
 * PS512 - RSASSA-PSS using SHA-512 hash algorithm
 
 ```ruby
-rsa_private = OpenSSL::PKey::RSA.generate 2048
+rsa_private = OpenSSL::PKey::RSA.generate(2048)
 rsa_public = rsa_private.public_key
 
 token = JWT.encode(payload, rsa_private, 'PS256')
@@ -254,7 +205,7 @@ Ruby-jwt gem supports custom [header fields](https://tools.ietf.org/html/rfc7519
 To add custom header fields you need to pass `header_fields` parameter
 
 ```ruby
-token = JWT.encode(payload, key, algorithm='HS256', header_fields={})
+token = JWT.encode(payload, key, 'HS256', header_fields={})
 ```
 
 **Example:**
@@ -335,6 +286,45 @@ encoded_token.payload # => { 'exp'=>1234, 'jti'=>'1234", 'sub'=>'my-subject' }
 encoded_token.header # {'kid'=>'hmac', 'alg'=>'HS256'}
 ```
 
+The `JWT::EncodedToken#verify!` method can be used to verify signature and claim verification in one go. The `exp` claim is verified by default.
+
+```ruby
+encoded_token = JWT::EncodedToken.new(token.jwt)
+encoded_token.verify!(signature: {algorithm: 'HS256', key: "secret"})
+
+encoded_token.payload # => { 'exp'=>1234, 'jti'=>'1234", 'sub'=>'my-subject' }
+encoded_token.header # {'kid'=>'hmac', 'alg'=>'HS256'}
+```
+
+A keyfinder can be used to verify a signature. A keyfinder is an object responding to the `#call` method. The method expects to receive one argument, which is the token to be verified.
+
+An example on using the built-in JWK keyfinder:
+```ruby
+# Create and sign a token
+jwk = JWT::JWK.new(OpenSSL::PKey::RSA.generate(2048))
+token = JWT::Token.new(payload: { pay: 'load' }, header: { kid: jwk.kid })
+token.sign!(algorithm: 'RS256', key: jwk.signing_key)
+
+# Create keyfinder object, verify and decode token
+key_finder = JWT::JWK::KeyFinder.new(jwks: JWT::JWK::Set.new(jwk))
+encoded_token = JWT::EncodedToken.new(token.jwt)
+encoded_token.verify!(signature: { algorithm: 'RS256', key_finder: key_finder})
+encoded_token.payload # => { 'pay' => 'load' }
+```
+
+Using a custom keyfinder proc:
+```ruby
+# Create and sign a token
+key = OpenSSL::PKey::RSA.generate(2048)
+token = JWT::Token.new(payload: { pay: 'load' })
+token.sign!(algorithm: 'RS256', key: key)
+
+# Verify and decode token
+encoded_token = JWT::EncodedToken.new(token.jwt)
+encoded_token.verify!(signature: { algorithm: 'RS256', key_finder: ->(_token){ key.public_key }})
+encoded_token.payload # => { 'pay' => 'load' }
+```
+
 ### Detached payload
 
 The `::JWT::Token#detach_payload!` method can be use to detach the payload from the JWT.

data/UPGRADING.md

@@ -0,0 +1,46 @@
+# Upgrading ruby-jwt to >= 3.0.0
+
+## Removal of the indirect [RbNaCl](https://github.com/RubyCrypto/rbnacl) dependency
+
+Historically, the set of supported algorithms was extended by including the `rbnacl` gem in the application's Gemfile. On load, ruby-jwt tried to load the gem and, if available, extend the algorithms to those provided by the `rbnacl/libsodium` libraries. This indirect dependency has caused some maintenance pain and confusion about which versions of the gem are supported.
+
+Some work to ease the way alternative algorithms can be implemented has been done. This enables the extraction of the algorithm provided by `rbnacl`.
+
+The extracted algorithms now live in the [jwt-eddsa](https://rubygems.org/gems/jwt-eddsa) gem.
+
+### Dropped support for HS512256
+
+The algorithm HS512256 (HMAC-SHA-512 truncated to 256-bits) is not part of any JWA/JWT RFC and therefore will not be supported anymore. It was part of the HMAC algorithms provided by the indirect [RbNaCl](https://github.com/RubyCrypto/rbnacl) dependency. Currently, there are no direct substitutes for the algorithm.
+
+### `JWT::EncodedToken#payload` will raise before token is verified
+
+To avoid accidental use of unverified tokens, the `JWT::EncodedToken#payload` method will raise an error if accessed before the token signature has been verified.
+
+To access the payload before verification, use the method `JWT::EncodedToken#unverified_payload`.
+
+## Stricter requirements on Base64 encoded data
+
+Base64 decoding will no longer fallback on the looser RFC 2045. The biggest difference is that the looser version was ignoring whitespaces and newlines, whereas the stricter version raises errors in such cases.
+
+If you, for example, read tokens from files, there could be problems with trailing newlines. Make sure you trim your input before passing it to the decoding mechanisms.
+
+## Claim verification revamp
+
+Claim verification has been [split into separate classes](https://github.com/jwt/ruby-jwt/pull/605) and has [a new API](https://github.com/jwt/ruby-jwt/pull/626), leading to the following deprecations:
+
+- The `::JWT::ClaimsValidator` class will be removed in favor of the functionality provided by `::JWT::Claims`.
+- The `::JWT::Claims::verify!` method will be removed in favor of `::JWT::Claims::verify_payload!`.
+- The `::JWT::JWA.create` method will be removed.
+- The `::JWT::Verify` class will be removed in favor of the functionality provided by `::JWT::Claims`.
+- Calling `::JWT::Claims::Numeric.new` with a payload will be removed in favor of `::JWT::Claims::verify_payload!(payload, :numeric)`.
+- Calling `::JWT::Claims::Numeric.verify!` with a payload will be removed in favor of `::JWT::Claims::verify_payload!(payload, :numeric)`.
+
+## Algorithm restructuring
+
+The internal algorithms were [restructured](https://github.com/jwt/ruby-jwt/pull/607) to support extensions from separate libraries. The changes led to a few deprecations and new requirements:
+- The `sign` and `verify` static methods on all the algorithms (`::JWT::JWA`) will be removed.
+- Custom algorithms are expected to include the `JWT::JWA::SigningAlgorithm` module.
+
+## Base64 the `k´ value for HMAC JWKs
+
+The gem was missing the Base64 encoding and decoding when representing and parsing a HMAC key as a JWK. This issue is now addressed. The added encoding will break compatibility with JWKs produced by older versions of the gem.

data/lib/jwt/base64.rb

@@ -14,22 +14,13 @@ module JWT
       end
 
       # Decode a string with URL-safe Base64 complying with RFC 4648.
-      # Deprecated support for RFC 2045 remains for now. ("All line breaks or other characters not found in Table 1 must be ignored by decoding software")
       # @api private
       def url_decode(str)
         ::Base64.urlsafe_decode64(str)
       rescue ArgumentError => e
         raise unless e.message == 'invalid base64'
-        raise Base64DecodeError, 'Invalid base64 encoding' if JWT.configuration.strict_base64_decoding
 
-        loose_urlsafe_decode64(str).tap do
-          Deprecations.warning('Invalid base64 input detected, could be because of invalid padding, trailing whitespaces or newline chars. Graceful handling of invalid input will be dropped in the next major version of ruby-jwt', only_if_valid: true)
-        end
-      end
-
-      def loose_urlsafe_decode64(str)
-        str += '=' * (4 - str.length.modulo(4))
-        ::Base64.decode64(str.tr('-_', '+/'))
+        raise Base64DecodeError, 'Invalid base64 encoding'
       end
     end
   end

data/lib/jwt/claims/numeric.rb

@@ -5,18 +5,6 @@ module JWT
     # The Numeric class is responsible for validating numeric claims in a JWT token.
     # The numeric claims are: exp, iat and nbf
     class Numeric
-      # The Compat class provides backward compatibility for numeric claim validation.
-      # @api private
-      class Compat
-        def initialize(payload)
-          @payload = payload
-        end
-
-        def verify!
-          JWT::Claims.verify_payload!(@payload, :numeric)
-        end
-      end
-
       # List of numeric claims that can be validated.
       NUMERIC_CLAIMS = %i[
         exp
@@ -26,14 +14,6 @@ module JWT
 
       private_constant(:NUMERIC_CLAIMS)
 
-      # @api private
-      def self.new(*args)
-        return super if args.empty?
-
-        Deprecations.warning('Calling ::JWT::Claims::Numeric.new with the payload will be removed in the next major version of ruby-jwt')
-        Compat.new(*args)
-      end
-
       # Verifies the numeric claims in the JWT context.
       #
       # @param context [Object] the context containing the JWT payload.
@@ -43,18 +23,6 @@ module JWT
         validate_numeric_claims(context.payload)
       end
 
-      # Verifies the numeric claims in the JWT payload.
-      #
-      # @param payload [Hash] the JWT payload containing the claims.
-      # @param _args [Hash] additional arguments (not used).
-      # @raise [JWT::InvalidClaimError] if any numeric claim is invalid.
-      # @return [nil]
-      # @deprecated The ::JWT::Claims::Numeric.verify! method will be removed in the next major version of ruby-jwt
-      def self.verify!(payload:, **_args)
-        Deprecations.warning('The ::JWT::Claims::Numeric.verify! method will be removed in the next major version of ruby-jwt.')
-        JWT::Claims.verify_payload!(payload, :numeric)
-      end
-
       private
 
       def validate_numeric_claims(payload)

data/lib/jwt/claims.rb

@@ -11,7 +11,6 @@ require_relative 'claims/not_before'
 require_relative 'claims/numeric'
 require_relative 'claims/required'
 require_relative 'claims/subject'
-require_relative 'claims/verification_methods'
 require_relative 'claims/verifier'
 
 module JWT
@@ -33,12 +32,6 @@ module JWT
     Error = Struct.new(:message, keyword_init: true)
 
     class << self
-      # @deprecated Use {verify_payload!} instead. Will be removed in the next major version of ruby-jwt.
-      def verify!(payload, options)
-        Deprecations.warning('The ::JWT::Claims.verify! method is deprecated will be removed in the next major version of ruby-jwt')
-        DecodeVerifier.verify!(payload, options)
-      end
-
       # Checks if the claims in the JWT payload are valid.
       # @example
       #

data/lib/jwt/configuration/container.rb

@@ -30,7 +30,6 @@ module JWT
       def reset!
         @decode                 = DecodeConfiguration.new
         @jwk                    = JwkConfiguration.new
-        @strict_base64_decoding = false
 
         self.deprecation_warnings = :once
       end

data/lib/jwt/decode.rb

@@ -33,10 +33,10 @@ module JWT
         verify_algo
         set_key
         verify_signature
-        Claims::DecodeVerifier.verify!(token.payload, @options)
+        Claims::DecodeVerifier.verify!(token.unverified_payload, @options)
       end
 
-      [token.payload, token.header]
+      [token.unverified_payload, token.header]
     end
 
     private
@@ -77,11 +77,8 @@ module JWT
                       :algorithms].freeze
 
     def given_algorithms
-      ALGORITHM_KEYS.each do |alg_key|
-        alg = @options[alg_key]
-        return Array(alg) if alg
-      end
-      []
+      alg_key = ALGORITHM_KEYS.find { |key| @options[key] }
+      Array(@options[alg_key])
     end
 
     def allowed_algorithms
@@ -93,7 +90,7 @@ module JWT
     end
 
     def find_key(&keyfinder)
-      key = (keyfinder.arity == 2 ? yield(token.header, token.payload) : yield(token.header))
+      key = (keyfinder.arity == 2 ? yield(token.header, token.unverified_payload) : yield(token.header))
       # key can be of type [string, nil, OpenSSL::PKey, Array]
       return key if key && !Array(key).empty?
 

data/lib/jwt/encoded_token.rb

@@ -12,7 +12,21 @@ module JWT
   #   encoded_token.verify_signature!(algorithm: 'HS256', key: 'secret')
   #   encoded_token.payload # => {'pay' => 'load'}
   class EncodedToken
-    include Claims::VerificationMethods
+    # @private
+    # Allow access to the unverified payload for claim verification.
+    class ClaimsContext
+      extend Forwardable
+
+      def_delegators :@token, :header, :unverified_payload
+
+      def initialize(token)
+        @token = token
+      end
+
+      def payload
+        unverified_payload
+      end
+    end
 
     # Returns the original token provided to the class.
     # @return [String] The JWT token.
@@ -26,6 +40,7 @@ module JWT
       raise ArgumentError, 'Provided JWT must be a String' unless jwt.is_a?(String)
 
       @jwt = jwt
+      @signature_verified = false
       @encoded_header, @encoded_payload, @encoded_signature = jwt.split('.')
     end
 
@@ -53,11 +68,20 @@ module JWT
     # @return [String] the encoded header.
     attr_reader :encoded_header
 
-    # Returns the payload of the JWT token.
+    # Returns the payload of the JWT token. Access requires the signature to have been verified.
     #
     # @return [Hash] the payload.
+    # @raise [JWT::DecodeError] if the signature has not been verified.
     def payload
-      @payload ||= decode_payload
+      raise JWT::DecodeError, 'Verify the token signature before accessing the payload' unless @signature_verified
+
+      decoded_payload
+    end
+
+    # Returns the payload of the JWT token without requiring the signature to have been verified.
+    # @return [Hash] the payload.
+    def unverified_payload
+      decoded_payload
     end
 
     # Sets or returns the encoded payload of the JWT token.
@@ -72,6 +96,22 @@ module JWT
       [encoded_header, encoded_payload].join('.')
     end
 
+    # Verifies the token signature and claims.
+    # By default it verifies the 'exp' claim.
+    #
+    # @example
+    #  encoded_token.verify!(signature: { algorithm: 'HS256', key: 'secret' }, claims: [:exp])
+    #
+    # @param signature [Hash] the parameters for signature verification (see {#verify_signature!}).
+    # @param claims [Array<Symbol>, Hash] the claims to verify (see {#verify_claims!}).
+    # @return [nil]
+    # @raise [JWT::DecodeError] if the signature or claim verification fails.
+    def verify!(signature:, claims: [:exp])
+      verify_signature!(**signature)
+      claims.is_a?(Array) ? verify_claims!(*claims) : verify_claims!(claims)
+      nil
+    end
+
     # Verifies the signature of the JWT token.
     #
     # @param algorithm [String, Array<String>, Object, Array<Object>] the algorithm(s) to use for verification.
@@ -96,11 +136,34 @@ module JWT
     # @param key [String, Array<String>] the key(s) to use for verification.
     # @return [Boolean] true if the signature is valid, false otherwise.
     def valid_signature?(algorithm:, key:)
-      Array(JWA.resolve_and_sort(algorithms: algorithm, preferred_algorithm: header['alg'])).any? do |algo|
+      valid = Array(JWA.resolve_and_sort(algorithms: algorithm, preferred_algorithm: header['alg'])).any? do |algo|
         Array(key).any? do |one_key|
           algo.verify(data: signing_input, signature: signature, verification_key: one_key)
         end
       end
+
+      valid.tap { |verified| @signature_verified = verified }
+    end
+
+    # Verifies the claims of the token.
+    # @param options [Array<Symbol>, Hash] the claims to verify.
+    # @raise [JWT::DecodeError] if the claims are invalid.
+    def verify_claims!(*options)
+      Claims::Verifier.verify!(ClaimsContext.new(self), *options)
+    end
+
+    # Returns the errors of the claims of the token.
+    # @param options [Array<Symbol>, Hash] the claims to verify.
+    # @return [Array<Symbol>] the errors of the claims.
+    def claim_errors(*options)
+      Claims::Verifier.errors(ClaimsContext.new(self), *options)
+    end
+
+    # Returns whether the claims of the token are valid.
+    # @param options [Array<Symbol>, Hash] the claims to verify.
+    # @return [Boolean] whether the claims are valid.
+    def valid_claims?(*options)
+      claim_errors(*options).empty?
     end
 
     alias to_s jwt
@@ -135,5 +198,9 @@ module JWT
     rescue ::JSON::ParserError
       raise JWT::DecodeError, 'Invalid segment encoding'
     end
+
+    def decoded_payload
+      @decoded_payload ||= decode_payload
+    end
   end
 end

data/lib/jwt/jwa/ecdsa.rb

@@ -56,10 +56,6 @@ module JWT
         register_algorithm(new(v[:algorithm], v[:digest]))
       end
 
-      def self.from_algorithm(algorithm)
-        new(algorithm, algorithm.downcase.gsub('es', 'sha'))
-      end
-
       def self.curve_by_name(name)
         NAMED_CURVES.fetch(name) do
           raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"

data/lib/jwt/jwa/hmac.rb

@@ -6,10 +6,6 @@ module JWT
     class Hmac
       include JWT::JWA::SigningAlgorithm
 
-      def self.from_algorithm(algorithm)
-        new(algorithm, OpenSSL::Digest.new(algorithm.downcase.gsub('hs', 'sha')))
-      end
-
       def initialize(alg, digest)
         @alg = alg
         @digest = digest

data/lib/jwt/jwa/ps.rb

@@ -13,6 +13,7 @@ module JWT
 
       def sign(data:, signing_key:)
         raise_sign_error!("The given key is a #{signing_key.class}. It has to be an OpenSSL::PKey::RSA instance.") unless signing_key.is_a?(::OpenSSL::PKey::RSA)
+        raise_sign_error!('The key length must be greater than or equal to 2048 bits') if signing_key.n.num_bits < 2048
 
         signing_key.sign_pss(digest_algorithm, data, salt_length: :digest, mgf1_hash: digest_algorithm)
       end

data/lib/jwt/jwa/rsa.rb

@@ -13,6 +13,7 @@ module JWT
 
       def sign(data:, signing_key:)
         raise_sign_error!("The given key is a #{signing_key.class}. It has to be an OpenSSL::PKey::RSA instance") unless signing_key.is_a?(OpenSSL::PKey::RSA)
+        raise_sign_error!('The key length must be greater than or equal to 2048 bits') if signing_key.n.num_bits < 2048
 
         signing_key.sign(digest, data)
       end

data/lib/jwt/jwa/signing_algorithm.rb

@@ -14,7 +14,6 @@ module JWT
 
       def self.included(klass)
         klass.extend(ClassMethods)
-        klass.include(JWT::JWA::Compat)
       end
 
       attr_reader :alg

data/lib/jwt/jwa.rb

@@ -2,13 +2,6 @@
 
 require 'openssl'
 
-begin
-  require 'rbnacl'
-rescue LoadError
-  raise if defined?(RbNaCl)
-end
-
-require_relative 'jwa/compat'
 require_relative 'jwa/signing_algorithm'
 require_relative 'jwa/ecdsa'
 require_relative 'jwa/hmac'
@@ -16,15 +9,6 @@ require_relative 'jwa/none'
 require_relative 'jwa/ps'
 require_relative 'jwa/rsa'
 require_relative 'jwa/unsupported'
-require_relative 'jwa/wrapper'
-
-require_relative 'jwa/eddsa' if JWT.rbnacl?
-
-if JWT.rbnacl_6_or_greater?
-  require_relative 'jwa/hmac_rbnacl'
-elsif JWT.rbnacl?
-  require_relative 'jwa/hmac_rbnacl_fixed'
-end
 
 module JWT
   # The JWA module contains all supported algorithms.
@@ -34,10 +18,7 @@ module JWT
       def resolve(algorithm)
         return find(algorithm) if algorithm.is_a?(String) || algorithm.is_a?(Symbol)
 
-        unless algorithm.is_a?(SigningAlgorithm)
-          Deprecations.warning('Custom algorithms are required to include JWT::JWA::SigningAlgorithm. Custom algorithms that do not include this module may stop working in the next major version of ruby-jwt.')
-          return Wrapper.new(algorithm)
-        end
+        raise ArgumentError, 'Custom algorithms are required to include JWT::JWA::SigningAlgorithm' unless algorithm.is_a?(SigningAlgorithm)
 
         algorithm
       end
@@ -47,12 +28,6 @@ module JWT
         algs = Array(algorithms).map { |alg| JWA.resolve(alg) }
         algs.partition { |alg| alg.valid_alg?(preferred_algorithm) }.flatten
       end
-
-      # @deprecated The `::JWT::JWA.create` method is deprecated and will be removed in the next major version of ruby-jwt.
-      def create(algorithm)
-        Deprecations.warning('The ::JWT::JWA.create method is deprecated and will be removed in the next major version of ruby-jwt.')
-        resolve(algorithm)
-      end
     end
   end
 end

data/lib/jwt/jwk/ec.rb

@@ -124,10 +124,6 @@ module JWT
         ::JWT::Base64.url_encode(octets)
       end
 
-      def encode_open_ssl_bn(key_part)
-        ::JWT::Base64.url_encode(key_part.to_s(BINARY))
-      end
-
       def parse_ec_key(key)
         crv, x_octets, y_octets = keypair_components(key)
         octets = key.private_key&.to_bn&.to_s(BINARY)

data/lib/jwt/jwk/hmac.rb

@@ -70,7 +70,7 @@ module JWT
       private
 
       def secret
-        self[:k]
+        @secret ||= ::JWT::Base64.url_decode(self[:k])
       end
 
       def extract_key_params(key)
@@ -78,7 +78,7 @@ module JWT
         when JWT::JWK::HMAC
           key.export(include_private: true)
         when String # Accept String key as input
-          { kty: KTY, k: key }
+          { kty: KTY, k: ::JWT::Base64.url_encode(key) }
         when Hash
           key.transform_keys(&:to_sym)
         else