Decode JWT without signature verification?

Keats / jsonwebtoken

JWT lib in rust

MIT License

1.61k stars 253 forks source link

Decode JWT without signature verification? #395

Closed jaymell closed 3 weeks ago

jaymell commented 3 weeks ago

Hi, I'm wondering if you'd consider it a reasonable use case to somehow enable exposing the body of the JWT without needing to verify the signature. The use case is pretty simple: If a JWT is expired, I'd still like to be able to access the exp field in certain cases. I'm not able to find a way to do that with the current state of the library. Perhaps a decode_without_validation method?

Thanks.

Keats commented 3 weeks ago

That's already possible: https://docs.rs/jsonwebtoken/latest/jsonwebtoken/struct.Validation.html#method.insecure_disable_signature_validation

Keats commented 3 weeks ago

And if you want just data from the header you can use https://docs.rs/jsonwebtoken/latest/jsonwebtoken/fn.decode_header.html

jaymell commented 3 weeks ago

Thank you!