Closed zkrzyzanowski closed 2 years ago
After a little bit of digging, I think the issue the call to this function from verify_signature
. I'm guessing when it tries to deserialize the header string to a Header
, it fails since none
isn't a valid algorithm.
Looking at the json web signature spec you reference in code here, it mentions that the algorithms used must be registered in the json web algorithms spec here.
However, they do mention that none
is allowed as an alg type here but "but MUST use the empty octet sequence as its JWS Signature value. Recipients MUST verify that the JWS Signature value is the empty octet sequence."
All that being said, is this something you would support if I open a PR for it?
The none
algorithm is explicitly not supported in this crate, a PR adding it will not be merged. I know it's mentioned in the spec but it's a silly idea in the first place.
Hi, I'm having an issue decoding a jwt with
validation.insecure_disable_signature_validation();
set. I'm using firebase emulator for local development, which produces a token with thealg
header set to none, so I'd like to turn off signature validation in that environment.When running the following code, I get this error:
Based on the
verify_signature
function indecoding.rs
here, I'd expectvalidation.validate_signature
to be false and it would just pass along the header and claimsfull reproduction of the error here
Thanks for your help and the work on this library!