Duplicate sub in payload is not reported in jwt.io

[mcornella]

Sample JWT token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2ODc3NzE1NzMsImV4cCI6MTcxOTMwNzU3Mywic3ViIjoiOTY2ZDRmNDAtN2I4Mi00MzU2LTlmMWQtNWU4ODg3N2YwMGZjIiwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.NUHtzsafJVwL3goc4V5j5-VGuzn79qwfD0p1EvXPI7A

The payload should be decoded to

{
    "iss": "Online JWT Builder",
    "iat": 1687771573,
    "exp": 1719307573,
    "aud": "www.example.com",
    "sub": "966d4f40-7b82-4356-9f1d-5e88877f00fc",
    "sub": "[email protected]",
    "GivenName": "Johnny",
    "Surname": "Rocket",
    "Email": "[email protected]",
    "Role": [
        "Manager",
        "Project Administrator"
    ]
}

which is visible when using JS atob() function, but of course when parsing this to a JSON the two sub fields are merged into one.

This has been an issue in one of my recent tests, and it has added significant toil when jwt.io did not catch this mistake. Could you add a warning when catching duplicate properties, or point me in the direction for how to solve it in a PR?

Thanks!

[panva]

It is normal for JSON parser to ignore the previous values for repeated keys. Using standard JSON.parse we cannot detect repeated keys.

[DanOnCall]

Hello, Marc! I am one of the newly appointed maintainers for jwt.io and I like this idea as a warning in the decoder :) I'll explore it for the next version of jwt.io

[mcornella]

Hey Dan! Thanks for reopening the issue, I tried on my end to see alternatives to JSON.parse but didn't find a way to do it, hopefully you have more insights. Let me know if you need anything!