Finally got around to cut a new release for the ruby-jwt gem. The version 2.8.0 is fresh out of the oven and a full changelog can be found from here.

Here are three picks on what matters in this release.

Preparing to deprecate support the HS512256 algorithm

There has been some confusion about the algorithm called HS512256, and now the first steps to remove it is happening, the main reasoning is that his algorithm is not something that is officially mentioned in any JOSE RFCs and requires the dependency rbnacl to function. Some more details about the confusion of this can be found from this issue.

Also to mention that this is NOT the same algorithm as SHA-512/256 but something a bit different.

Preparing to stricten base64 decoding

Another preparation for change is to stricten the requirements for the base64 encoded tokens.

For example if the token contains some extra whitespaces or trailing spaces a warning is presented, but still decoded:

irb(main):001:0> token = JWT.encode({ con:'tent' }, nil, 'none')
=> "eyJhbGciOiJub25lIn0.eyJjb24iOiJ0ZW50In0."
irb(main):002:0> JWT.decode(token + "\n", nil, true, algorithm: 'none')
[DEPRECATION] Invalid base64 input detected, could be because of invalid padding, trailing whitespaces or newline chars. Graceful handling of invalid input will be dropped in the next major version of ruby-jwt
=> [{"con"=>"tent"}, {"alg"=>"none"}]

In future versions this will result in a decoding error.

HMAC algorithms alway to use built in openssl variants

Until this release the HMAC implementation to be used would switch if the rbnacl dependency was available. Now the default HMAC features will always be provided by the default OpenSSL implementation.

Also special thanks to julik for digging into a issue related to coordinate encoding when importing EC keys from JWKs.