jwt 2.4.0.beta1 → 2.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 637320f6741edec8adfafb3513fdad0927b9c08271137e7ad47e2b7515a6b90a
-  data.tar.gz: a089bc9ef99438988ef542135cdfaa68496fd645877200059ab461122816e11e
+  metadata.gz: a3098671a837e7b291103cde1921277c61ecaa0f0797b955e6adc65328498f0d
+  data.tar.gz: 3253833ac6d7743e40a5d5157b161cd0daecc9b77f61dfa7687d6b3da1be56ca
 SHA512:
-  metadata.gz: bdf07ebbbadc38c80b6eda44a6571d7bd8f5c0d806cb1955295fa201f8a77f9faba55567e23825eaf23350eaef391e6c34a09666297b1fe7cd0178348fe93586
-  data.tar.gz: 924d0f219493f2cf133753ca25fbd7682d7f307b7b3724a659c795ef864b9129137e2b6db8d3591f1a006c9925c325ff51f2a87f23ad0b1d6b198124135ce093
+  metadata.gz: 306c946b1199301a3f1000c8ffba4a77d07fd05dd83f769da86fd29f254827b5af8488a4b6a54b11f1f7f3a028cb88caafb7ed67528e7004c0337f6506e595ea
+  data.tar.gz: 57d1eba7a06bc9d9f9fcb76b42aa3808415af5020c53969b4cada890b1646e7d348a96ce18010ab0a978e42825febbeb7b3f205b72e8ce60ef90132cf5887599

data/.github/workflows/test.yml

@@ -13,43 +13,44 @@ jobs:
     timeout-minutes: 30
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
-        ruby-version: "2.7"
+        ruby-version: "3.0"
         bundler-cache: true
     - name: Run RuboCop
       run: bundle exec rubocop
   test:
+    name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
+    runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
+        os:
+          - ubuntu-20.04
         ruby:
-          - 2.5
-          - 2.6
-          - 2.7
+          - "2.5"
+          - "2.6"
+          - "2.7"
           - "3.0"
-          - 3.1
+          - "3.1"
         gemfile:
           - gemfiles/standalone.gemfile
           - gemfiles/openssl.gemfile
           - gemfiles/rbnacl.gemfile
         experimental: [false]
         include:
-          - ruby: 2.7
-            gemfile: 'gemfiles/rbnacl.gemfile'
-          - ruby: "ruby-head"
-            experimental: true
-          - ruby: "truffleruby-head"
-            experimental: true
-    runs-on: ubuntu-20.04
+          - { os: ubuntu-20.04, ruby: "2.7", gemfile: 'gemfiles/rbnacl.gemfile', experimental: false }
+          - { os: ubuntu-22.04, ruby: "3.1", experimental: false }
+          - { os: ubuntu-20.04, ruby: "truffleruby-head", experimental: true }
+          - { os: ubuntu-22.04, ruby: "head", experimental: true }
     continue-on-error: ${{ matrix.experimental }}
     env:
       BUNDLE_GEMFILE: ${{ matrix.gemfile }}
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
     - name: Install libsodium
       run: |

data/.reek.yml

@@ -0,0 +1,22 @@
+---
+detectors:
+  TooManyStatements:
+    max_statements: 10
+  UtilityFunction:
+    enabled: false
+  LongParameterList:
+    enabled: false
+  DuplicateMethodCall:
+    max_calls: 2
+  IrresponsibleModule:
+    enabled: false
+  NestedIterators:
+    max_allowed_nesting: 2
+  UnusedParameters:
+    enabled: false
+  FeatureEnvy:
+    enabled: false
+  ControlParameter:
+    enabled: false
+  UnusedPrivateMethod:
+    enabled: false

data/.rubocop.yml

@@ -1,5 +1,3 @@
-inherit_from: .rubocop_todo.yml
-
 AllCops:
   TargetRubyVersion: 2.5
   NewCops: enable
@@ -21,43 +19,38 @@ Style/GuardClause:
 Style/IfUnlessModifier:
   Enabled: false
 
-Layout/SpaceInsideHashLiteralBraces:
-  Enabled: false
-
 Style/Lambda:
   Enabled: false
 
 Style/RaiseArgs:
   Enabled: false
 
-Style/SignalException:
-  Enabled: false
-
 Metrics/AbcSize:
   Max: 25
 
 Metrics/ClassLength:
-  Max: 103
+  Max: 112
 
 Metrics/ModuleLength:
   Max: 100
 
-Layout/LineLength:
-  Enabled: false
+Metrics/MethodLength:
+  Max: 20
 
 Metrics/BlockLength:
   Exclude:
     - spec/**/*_spec.rb
 
-Metrics/MethodLength:
-  Max: 15
-
-Style/SingleLineBlockParams:
+Layout/LineLength:
   Enabled: false
 
 Layout/EndAlignment:
   EnforcedStyleAlignWith: variable
 
+Layout/EmptyLineBetweenDefs:
+  Enabled: true
+  AllowAdjacentOneLineDefs: true
+
 Style/FormatString:
   Enabled: false
 
@@ -70,12 +63,5 @@ Layout/MultilineOperationIndentation:
 Style/WordArray:
   Enabled: false
 
-Style/RedundantSelf:
+Gemspec/RequireMFA:
   Enabled: false
-
-Layout/HashAlignment:
-  Enabled: true
-  EnforcedLastArgumentHashStyle: always_ignore
-
-Style/TrivialAccessors:
-  AllowPredicates: true

data/.sourcelevel.yml

@@ -1,4 +1,3 @@
-styleguide: excpt/linters
 engines:
   reek:
     enabled: true
@@ -6,13 +5,13 @@ engines:
     enabled: true
   rubocop:
     enabled: true
-    channel: rubocop-0-52
+    channel: latest
   duplication:
     config:
       languages:
       - ruby
     enabled: true
   remark-lint:
-    enabled: true
+    enabled: false
 exclude_paths:
-- spec
+  - spec

data/CHANGELOG.md

@@ -1,51 +1,50 @@
 # Changelog
 
-## [v2.4.0](https://github.com/jwt/ruby-jwt/tree/v2.4.0) (2022-05-03)
 
-[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.3.0...v2.4.0)
+## [v2.5.0](https://github.com/jwt/ruby-jwt/tree/v2.5.0) (NEXT)
 
-**Implemented enhancements:**
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.4.1...master)
 
-- Ensure presence of claims [\#244](https://github.com/jwt/ruby-jwt/issues/244)
-- Support verifying signature signed using x5c header [\#59](https://github.com/jwt/ruby-jwt/issues/59)
-- Add x5c header key finder [\#338](https://github.com/jwt/ruby-jwt/pull/338) ([bdewater](https://github.com/bdewater))
+**Features:**
 
-**Security fixes:**
+- Support JWK thumbprints as key ids [#481](https://github.com/jwt/ruby-jwt/pull/481) ([@anakinj](https://github.com/anakinj)).
+- Your contribution here
 
-- Importing JWK then exporting results in different `kid` [\#313](https://github.com/jwt/ruby-jwt/issues/313)
+**Fixes and enhancements:**
+- Bring back the old Base64 (RFC2045) deocode mechanisms [#488](https://github.com/jwt/ruby-jwt/pull/488) ([@anakinj](https://github.com/anakinj)).
+- Rescue RbNaCl exception for EdDSA wrong key [#491](https://github.com/jwt/ruby-jwt/pull/491) ([@n-studio](https://github.com/n-studio)).
+- New parameter name for cases when kid is not found using JWK key loader proc [#501](https://github.com/jwt/ruby-jwt/pull/501) ([@anakinj](https://github.com/anakinj)).
+- Fix NoMethodError when a 2 segment token is missing 'alg' header [#502](https://github.com/jwt/ruby-jwt/pull/502) ([@cmrd-senya](https://github.com/cmrd-senya)).
+- Support OpenSSL >= 3.0 [#496](https://github.com/jwt/ruby-jwt/pull/496) ([@anakinj](https://github.com/anakinj)).
+- Your contribution here
 
-**Closed issues:**
+## [v2.4.1](https://github.com/jwt/ruby-jwt/tree/v2.4.1) (2022-06-07)
 
-- Is there a way to decode a ES256 encoded JWT with a root certificate but without a public key or a private key? [\#471](https://github.com/jwt/ruby-jwt/issues/471)
-- Encode output with extra quote [\#469](https://github.com/jwt/ruby-jwt/issues/469)
-- Please release new gem version [\#444](https://github.com/jwt/ruby-jwt/issues/444)
-- HS512 signature verification fails for valid tokens [\#438](https://github.com/jwt/ruby-jwt/issues/438)
-- ArgumentError: invalid base64 while calling JWT::JWK.import\(hash\) [\#361](https://github.com/jwt/ruby-jwt/issues/361)
-- NoMethodError (undefined method `encode' for JsonWebToken:Module\) [\#329](https://github.com/jwt/ruby-jwt/issues/329)
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.4.0...v2.4.1)
 
-**Merged pull requests:**
+**Fixes and enhancements:**
+- Raise JWT::DecodeError on invalid signature [\#484](https://github.com/jwt/ruby-jwt/pull/484) ([@freakyfelt!](https://github.com/freakyfelt!)).
+
+## [v2.4.0](https://github.com/jwt/ruby-jwt/tree/v2.4.0) (2022-06-06)
+
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.3.0...v2.4.0)
 
-- Fix RuboCop TODOs [\#476](https://github.com/jwt/ruby-jwt/pull/476) ([typhoon2099](https://github.com/typhoon2099))
-- Update note about supported JWK types [\#475](https://github.com/jwt/ruby-jwt/pull/475) ([dpashkevich](https://github.com/dpashkevich))
-- Make specific algorithms in README linkable [\#472](https://github.com/jwt/ruby-jwt/pull/472) ([milieu](https://github.com/milieu))
-- Add tests for keyfinder logic to ensure the argument count does not matter [\#467](https://github.com/jwt/ruby-jwt/pull/467) ([anakinj](https://github.com/anakinj))
-- More tests for none token [\#466](https://github.com/jwt/ruby-jwt/pull/466) ([anakinj](https://github.com/anakinj))
-- Improve non algorithm tests [\#465](https://github.com/jwt/ruby-jwt/pull/465) ([anakinj](https://github.com/anakinj))
-- Bring back Ruby 2.5 support and CodeClimate coverage reports [\#464](https://github.com/jwt/ruby-jwt/pull/464) ([anakinj](https://github.com/anakinj))
-- Fix a little RuboCop issue [\#462](https://github.com/jwt/ruby-jwt/pull/462) ([anakinj](https://github.com/anakinj))
-- Fixes with latest RuboCop [\#459](https://github.com/jwt/ruby-jwt/pull/459) ([anakinj](https://github.com/anakinj))
-- Removed bundler-audit from codeclimate config [\#458](https://github.com/jwt/ruby-jwt/pull/458) ([anakinj](https://github.com/anakinj))
-- Updated rubocop to 1.23.0 [\#457](https://github.com/jwt/ruby-jwt/pull/457) ([anakinj](https://github.com/anakinj))
-- Add Ruby 3.1 to test matrix [\#456](https://github.com/jwt/ruby-jwt/pull/456) ([anakinj](https://github.com/anakinj))
-- Use Ruby built-in url-safe base64 methods [\#454](https://github.com/jwt/ruby-jwt/pull/454) ([bdewater](https://github.com/bdewater))
-- Stop running tests on EOL rubies. [\#453](https://github.com/jwt/ruby-jwt/pull/453) ([anakinj](https://github.com/anakinj))
-- Fix openssl gem version check to support versons greater than 3 [\#452](https://github.com/jwt/ruby-jwt/pull/452) ([anakinj](https://github.com/anakinj))
-- Readme: Typo fix re MissingRequiredClaim [\#451](https://github.com/jwt/ruby-jwt/pull/451) ([antonmorant](https://github.com/antonmorant))
-- Fix for exception after mergeing \#385 [\#450](https://github.com/jwt/ruby-jwt/pull/450) ([anakinj](https://github.com/anakinj))
-- Create CODE\_OF\_CONDUCT.md [\#449](https://github.com/jwt/ruby-jwt/pull/449) ([loic5](https://github.com/loic5))
-- Allow regular expressions and procs to verify issuer [\#437](https://github.com/jwt/ruby-jwt/pull/437) ([rewritten](https://github.com/rewritten))
-- Add Support to be able to verify from multiple keys [\#425](https://github.com/jwt/ruby-jwt/pull/425) ([ritikesh](https://github.com/ritikesh))
-- Define the secp256r1 curve [\#385](https://github.com/jwt/ruby-jwt/pull/385) ([anakinj](https://github.com/anakinj))
+**Features:**
+
+- Dropped support for Ruby 2.5 and older [#453](https://github.com/jwt/ruby-jwt/pull/453) - [@anakinj](https://github.com/anakinj).
+- Use Ruby built-in url-safe base64 methods [#454](https://github.com/jwt/ruby-jwt/pull/454) - [@bdewater](https://github.com/bdewater).
+- Updated rubocop to 1.23.0 [#457](https://github.com/jwt/ruby-jwt/pull/457) - [@anakinj](https://github.com/anakinj).
+- Add x5c header key finder [#338](https://github.com/jwt/ruby-jwt/pull/338) - [@bdewater](https://github.com/bdewater).
+- Author driven changelog process [#463](https://github.com/jwt/ruby-jwt/pull/463) - [@anakinj](https://github.com/anakinj).
+- Allow regular expressions and procs to verify issuer [\#437](https://github.com/jwt/ruby-jwt/pull/437) ([rewritten](https://github.com/rewritten)).
+- Add Support to be able to verify from multiple keys [\#425](https://github.com/jwt/ruby-jwt/pull/425) ([ritikesh](https://github.com/ritikesh)).
+
+**Fixes and enhancements:**
+- Readme: Typo fix re MissingRequiredClaim [\#451](https://github.com/jwt/ruby-jwt/pull/451) ([antonmorant](https://github.com/antonmorant)).
+- Fix RuboCop TODOs [\#476](https://github.com/jwt/ruby-jwt/pull/476) ([typhoon2099](https://github.com/typhoon2099)).
+- Make specific algorithms in README linkable [\#472](https://github.com/jwt/ruby-jwt/pull/472) ([milieu](https://github.com/milieu)).
+- Update note about supported JWK types [\#475](https://github.com/jwt/ruby-jwt/pull/475) ([dpashkevich](https://github.com/dpashkevich)).
+- Create CODE\_OF\_CONDUCT.md [\#449](https://github.com/jwt/ruby-jwt/pull/449) ([loic5](https://github.com/loic5)).
 
 ## [v2.3.0](https://github.com/jwt/ruby-jwt/tree/v2.3.0) (2021-10-03)
 

data/CONTRIBUTING.md

@@ -0,0 +1,99 @@
+# Contributing to [ruby-jwt](https://github.com/jwt/ruby-jwt)
+
+## Forking the project
+
+Fork the project on GitHub and clone your own fork. Instuctions on forking can be found from the [GitHub Docs](https://docs.github.com/en/get-started/quickstart/fork-a-repo)
+
+```
+git clone git@github.com:you/ruby-jwt.git
+cd ruby-jwt
+git remote add upstream https://github.com/jwt/ruby-jwt
+```
+
+## Create a branch for your implementation
+
+Make sure you have the latest upstream master branch of the project.
+
+```
+git fetch --all
+git checkout master
+git rebase upstream/master
+git push origin master
+git checkout -b fix-a-little-problem
+```
+
+## Running the tests and linter
+
+Before you start with your implementation make sure you are able to get a succesful test run with the current revision.
+
+The tests are written with rspec and [Appraisal](https://github.com/thoughtbot/appraisal) is used to ensure compatibility with 3rd party dependencies providing cryptographic features.
+
+[Rubocop](https://github.com/rubocop/rubocop) is used to enforce the Ruby style.
+
+To run the complete set of tests and linter run the following
+
+```bash
+bundle install
+bundle exec appraisal rake test
+bundle exec rubocop
+```
+
+## Implement your feature
+
+Implement tests and your change. Don't be shy adding a little something in the [README](README.md).
+Add a short description of the change in either the `Features` or `Fixes` section in the [CHANGELOG](CHANGELOG.md) file.
+
+The form of the row (You need to return to the row when you know the pull request id)
+```
+- Fix a little problem [#123](https://github.com/jwt/ruby-jwt/pull/123) - [@you](https://github.com/you).
+```
+
+## Push your branch and create a pull request
+
+Before pushing make sure the tests pass and RuboCop is happy.
+
+```
+bundle exec appraisal rake test
+bundle exec rubocop
+git push origin fix-a-little-problem
+```
+
+Make a new pull request on the [ruby-jwt project](https://github.com/jwt/ruby-jwt/pulls) with a description what the change is about.
+
+## Update the CHANGELOG, again
+
+Update the [CHANGELOG](CHANGELOG.md) with the pull request id from the previous step.
+
+You can ammend the previous commit with the updated changelog change and force push your branch. The PR will get automatically updated.
+
+```
+git add CHANGELOG.md
+git commit --amend --no-edit
+git push origin fix-a-little-problem -f
+```
+
+## Keep an eye on your pull request
+
+A maintainer will review and probably merge you changes when time allows, be patient.
+
+## Keeping your branch up-to-date
+
+It's recommended that you keep your branch up-to-date by rebasing to the upstream master.
+
+```
+git fetch upstream
+git checkout fix-a-little-problem
+git rebase upstream/master
+git push origin fix-a-little-problem -f
+```
+
+# Releasing a new version
+
+The version is using the [Semantic Versioning](http://semver.org/) and the version is located in the [version.rb](lib/jwt/version.rb) file.
+Also update the [CHANGELOG](CHANGELOG.md) to reflect the upcoming version release.
+
+```bash
+rake release
+```
+
+**If you want a release cut with your PR, please include a version bump according to **

data/README.md

@@ -12,10 +12,12 @@ A ruby implementation of the [RFC 7519 OAuth JSON Web Token (JWT)](https://tools
 If you have further questions related to development or usage, join us: [ruby-jwt google group](https://groups.google.com/forum/#!forum/ruby-jwt).
 
 ## Announcements
-
+* Ruby 2.4 support was dropped in version 2.4.0
 * Ruby 1.9.3 support was dropped at December 31st, 2016.
 * Version 1.5.3 yanked. See: [#132](https://github.com/jwt/ruby-jwt/issues/132) and [#133](https://github.com/jwt/ruby-jwt/issues/133)
 
+See [CHANGELOG.md](CHANGELOG.md) for a complete set of changes.
+
 ## Sponsors
 
 |Logo|Message|
@@ -130,19 +132,17 @@ puts decoded_token
 * ES256 - ECDSA using P-256 and SHA-256
 * ES384 - ECDSA using P-384 and SHA-384
 * ES512 - ECDSA using P-521 and SHA-512
+* ES256K - ECDSA using P-256K and SHA-256
 
 ```ruby
-ecdsa_key = OpenSSL::PKey::EC.new 'prime256v1'
-ecdsa_key.generate_key
-ecdsa_public = OpenSSL::PKey::EC.new ecdsa_key
-ecdsa_public.private_key = nil
+ecdsa_key = OpenSSL::PKey::EC.generate('prime256v1')
 
 token = JWT.encode payload, ecdsa_key, 'ES256'
 
 # eyJhbGciOiJFUzI1NiJ9.eyJkYXRhIjoidGVzdCJ9.AlLW--kaF7EX1NMX9WJRuIW8NeRJbn2BLXHns7Q5TZr7Hy3lF6MOpMlp7GoxBFRLISQ6KrD0CJOrR8aogEsPeg
 puts token
 
-decoded_token = JWT.decode token, ecdsa_public, true, { algorithm: 'ES256' }
+decoded_token = JWT.decode token, ecdsa_key, true, { algorithm: 'ES256' }
 
 # Array
 # [
@@ -183,7 +183,7 @@ decoded_token = JWT.decode token, public_key, true, { algorithm: 'ED25519' }
 
 ### **RSASSA-PSS**
 
-In order to use this algorithm you need to add the `openssl` gem to you `Gemfile` with a version greater or equal to `2.1`.
+In order to use this algorithm you need to add the `openssl` gem to your `Gemfile` with a version greater or equal to `2.1`.
 
 ```ruby
 gem 'openssl', '~> 2.1'
@@ -543,30 +543,41 @@ end
 
 ### JSON Web Key (JWK)
 
-JWK is a JSON structure representing a cryptographic key. Currently only supports RSA, EC and HMAC keys.
+JWK is a JSON structure representing a cryptographic key. Currently only supports RSA, EC and HMAC keys. The `jwks` option can be given as a lambda that evaluates every time a kid is resolved.
 
-```ruby
-jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), "optional-kid")
-payload, headers = { data: 'data' }, { kid: jwk.kid }
+If the kid is not found from the given set the loader will be called a second time with the `kid_not_found` option set to `true`. The application can choose to implement some kind of JWK cache invalidation or other mechanism to handle such cases.
 
-token = JWT.encode(payload, jwk.keypair, 'RS512', headers)
-
-# The jwk loader would fetch the set of JWKs from a trusted source
-jwk_loader = ->(options) do
-  @cached_keys = nil if options[:invalidate] # need to reload the keys
-  @cached_keys ||= { keys: [jwk.export] }
-end
+```ruby
+  jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), 'optional-kid')
+  payload = { data: 'data' }
+  headers = { kid: jwk.kid }
+
+  token = JWT.encode(payload, jwk.keypair, 'RS512', headers)
+
+  # The jwk loader would fetch the set of JWKs from a trusted source,
+  # to avoid malicious requests triggering cache invalidations there needs to be some kind of grace time or other logic for determining the validity of the invalidation.
+  # This example only allows cache invalidations every 5 minutes.
+  jwk_loader = ->(options) do
+    if options[:kid_not_found] && @cache_last_update < Time.now.to_i - 300
+      logger.info("Invalidating JWK cache. #{options[:kid]} not found from previous cache")
+      @cached_keys = nil
+    end
+    @cached_keys ||= begin
+      @cache_last_update = Time.now.to_i
+      { keys: [jwk.export] }
+    end
+  end
 
-begin
-  JWT.decode(token, nil, true, { algorithms: ['RS512'], jwks: jwk_loader})
-rescue JWT::JWKError
-  # Handle problems with the provided JWKs
-rescue JWT::DecodeError
-  # Handle other decode related issues e.g. no kid in header, no matching public key found etc.
-end
+  begin
+    JWT.decode(token, nil, true, { algorithms: ['RS512'], jwks: jwk_loader })
+  rescue JWT::JWKError
+    # Handle problems with the provided JWKs
+  rescue JWT::DecodeError
+    # Handle other decode related issues e.g. no kid in header, no matching public key found etc.
+  end
 ```
 
-or by passing JWK as a simple Hash
+or by passing the JWKs as a simple Hash
 
 ```
 jwks = { keys: [{ ... }] } # keys accepts both of string and symbol
@@ -575,7 +586,7 @@ JWT.decode(token, nil, true, { algorithms: ['RS512'], jwks: jwks})
 
 ### Importing and exporting JSON Web Keys
 
-The ::JWT::JWK class can be used to import and export both the public key (default behaviour) and the private key. To include the private key in the export pass the  `include_private` parameter to the export method.
+The ::JWT::JWK class can be used to import and export both the public key (default behaviour) and the private key. To include the private key in the export pass the `include_private` parameter to the export method.
 
 ```ruby
 jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048))
@@ -584,6 +595,23 @@ jwk_hash = jwk.export
 jwk_hash_with_private_key = jwk.export(include_private: true)
 ```
 
+### Key ID (kid) and JWKs
+
+The key id (kid) generation in the gem is a custom algorithm and not based on any standards. To use a standardized JWK thumbprint (RFC 7638) as the kid for JWKs a generator type can be specified in the global configuration or can be given to the JWK instance on initialization.
+
+```ruby
+JWT.configuration.jwk.kid_generator_type = :rfc7638_thumbprint
+# OR
+JWT.configuration.jwk.kid_generator = ::JWT::JWK::Thumbprint
+# OR
+jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), kid_generator: ::JWT::JWK::Thumbprint)
+
+jwk_hash = jwk.export
+
+thumbprint_as_the_kid = jwk_hash[:kid]
+
+```
+
 # Development and Tests
 
 We depend on [Bundler](http://rubygems.org/gems/bundler) for defining gemspec and performing releases to rubygems.org, which can be done with
@@ -599,12 +627,13 @@ bundle install
 bundle exec appraisal rake test
 ```
 
-**If you want a release cut with your PR, please include a version bump according to [Semantic Versioning](http://semver.org/)**
+## How to contribute
+See [CONTRIBUTING](CONTRIBUTING.md).
 
 ## Contributors
 
-See `AUTHORS` file.
+See [AUTHORS](AUTHORS).
 
 ## License
 
-See `LICENSE` file.
+See [LICENSE](LICENSE).

data/lib/jwt/algos/ecdsa.rb

@@ -6,13 +6,29 @@ module JWT
       module_function
 
       NAMED_CURVES = {
-        'prime256v1' => 'ES256',
-        'secp256r1' => 'ES256', # alias for prime256v1
-        'secp384r1' => 'ES384',
-        'secp521r1' => 'ES512'
+        'prime256v1' => {
+          algorithm: 'ES256',
+          digest: 'sha256'
+        },
+        'secp256r1' => { # alias for prime256v1
+          algorithm: 'ES256',
+          digest: 'sha256'
+        },
+        'secp384r1' => {
+          algorithm: 'ES384',
+          digest: 'sha384'
+        },
+        'secp521r1' => {
+          algorithm: 'ES512',
+          digest: 'sha512'
+        },
+        'secp256k1' => {
+          algorithm: 'ES256K',
+          digest: 'sha256'
+        }
       }.freeze
 
-      SUPPORTED = NAMED_CURVES.values.uniq.freeze
+      SUPPORTED = NAMED_CURVES.map { |_, c| c[:algorithm] }.uniq.freeze
 
       def sign(to_sign)
         algorithm, msg, key = to_sign.values
@@ -39,14 +55,9 @@ module JWT
       end
 
       def curve_by_name(name)
-        algorithm = NAMED_CURVES.fetch(name) do
+        NAMED_CURVES.fetch(name) do
           raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
         end
-
-        {
-          algorithm: algorithm,
-          digest: algorithm.sub('ES', 'sha')
-        }
       end
     end
   end

data/lib/jwt/algos/eddsa.rb

@@ -27,6 +27,8 @@ module JWT
         raise DecodeError, "key given is a #{public_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey" if public_key.class != RbNaCl::Signatures::Ed25519::VerifyKey
 
         public_key.verify(signature, signing_input)
+      rescue RbNaCl::CryptoError
+        false
       end
     end
   end

data/lib/jwt/base64.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'base64'
+
+module JWT
+  # Base64 helpers
+  class Base64
+    class << self
+      def url_encode(str)
+        ::Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '')
+      end
+
+      def url_decode(str)
+        str += '=' * (4 - str.length.modulo(4))
+        ::Base64.decode64(str.tr('-_', '+/'))
+      end
+    end
+  end
+end

data/lib/jwt/configuration/container.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require_relative 'decode_configuration'
+require_relative 'jwk_configuration'
+
+module JWT
+  module Configuration
+    class Container
+      attr_accessor :decode, :jwk
+
+      def initialize
+        reset!
+      end
+
+      def reset!
+        @decode = DecodeConfiguration.new
+        @jwk    = JwkConfiguration.new
+      end
+    end
+  end
+end