search

Keats / jsonwebtoken

JWT lib in rust
MIT License
1.67k stars 266 forks source link

validation.insecure_disable_signature_validation() not working #257

Closed zkrzyzanowski closed 2 years ago

zkrzyzanowski commented 2 years ago

Hi, I'm having an issue decoding a jwt with validation.insecure_disable_signature_validation(); set. I'm using firebase emulator for local development, which produces a token with the alg header set to none, so I'd like to turn off signature validation in that environment.

When running the following code, I get this error:

 unknown variant `none`, expected one of `HS256`, `HS384`, `HS512`, `ES256`, `ES384`, `RS256`, `RS384`, `RS512`, `PS256`, `PS384`, `PS512`, `EdDSA` at line 1 column 25
use jsonwebtoken::{Algorithm, DecodingKey, TokenData, Validation};
use serde::{Deserialize, Serialize};

#[derive(Debug, Serialize, Deserialize)]
struct Claims {
    aud: String, // Optional. Audience
    exp: usize, // Required (validate_exp defaults to true in validation). Expiration time (as UTC timestamp)
    iat: usize, // Optional. Issued at (as UTC timestamp)
    iss: String, // Optional. Issuer
    // nbf: usize, // Optional. Not Before (as UTC timestamp)
    sub: String, // Optional. Subject (whom token refers to)
}

fn main() {
    let mut validation = Validation::new(Algorithm::RS256);
    validation.insecure_disable_signature_validation();

    let token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTY1Njc5MjY1MSwiZXhwIjoxNjU2Nzk2MjUxfQ.";

    let decoded_token: Result<TokenData<Claims>, jsonwebtoken::errors::Error> =
        jsonwebtoken::decode::<Claims>(token, &DecodingKey::from_secret(&[]), &validation);

    match decoded_token {
        Ok(token) => println!("{:?}", token.header),
        Err(err) => println!("{}", err),
    }
}

Based on the verify_signature function in decoding.rs here, I'd expect validation.validate_signature to be false and it would just pass along the header and claims

full reproduction of the error here

Thanks for your help and the work on this library!

zkrzyzanowski commented 2 years ago

After a little bit of digging, I think the issue the call to this function from verify_signature. I'm guessing when it tries to deserialize the header string to a Header, it fails since none isn't a valid algorithm.

Looking at the json web signature spec you reference in code here, it mentions that the algorithms used must be registered in the json web algorithms spec here.

However, they do mention that none is allowed as an alg type here but "but MUST use the empty octet sequence as its JWS Signature value. Recipients MUST verify that the JWS Signature value is the empty octet sequence."

All that being said, is this something you would support if I open a PR for it?

Keats commented 2 years ago

The none algorithm is explicitly not supported in this crate, a PR adding it will not be merged. I know it's mentioned in the spec but it's a silly idea in the first place.