Open justdemon opened 6 months ago
https://github.com/Azure-Samples/microsoft-azure-attestation/blob/5d34c177f9712f821a82ad7799050bedd7850bae/maa.jwt.verifier/src/main.cpp#L71
Anyone can manipulate the JWT, update the JKU to their own domain, and then sign the JWT with their own key. Can we have an example of how to prevent this type of attack? Does the JKU always use the same domain as the ISS in Azure Attestation?
https://github.com/Azure-Samples/microsoft-azure-attestation/blob/5d34c177f9712f821a82ad7799050bedd7850bae/maa.jwt.verifier/src/main.cpp#L71
Anyone can manipulate the JWT, update the JKU to their own domain, and then sign the JWT with their own key. Can we have an example of how to prevent this type of attack? Does the JKU always use the same domain as the ISS in Azure Attestation?