search

IdentityServer / IdentityServer4.AccessTokenValidation

IdentityServer Access Token Validation for ASP.NET Core
Apache License 2.0
544 stars 214 forks source link

JWT "validation" with encryption algorithm set to 'none' #59

Closed RomanBorysenok closed 7 years ago

RomanBorysenok commented 7 years ago

Hello,

Thank you for your work! I have one question regarding "validation" of JWT that is encrypted with algorithm set to 'none'. Currently, for development purpose encryption alg is set to 'none', but I'm finding the way how to properly handle this kind of scenario. As I understand when JWT is encrypted with 'none' alg, then there is no signature in this JWT. As a result of that I'm getting the Error when trying to verify it : ''IDX10504: Unable to validate signature, token does not have a signature". So I'm wondering is this type of scenario is supported? As I know, https://www.npmjs.com/package/jsonwebtoken is supporting this kind of scenario: jwt.verify(bearerToken, null, { algorithms: ['none'] });

Thanks!

leastprivilege commented 7 years ago

I don't follow. IS4 does not support JWT encryption OOB.