[Security] Properly verify the JWT signature.

Vonage / vonage-java-code-snippets

Java code examples for using Vonage

MIT License

11 stars 31 forks source link

[Security] Properly verify the JWT signature. #81

Closed intrigus-lgtm closed 3 years ago

intrigus-lgtm commented 3 years ago

The parse method does not verify the signature of a JWT. So it e.g. accepts a token like this: someBase64EncodedHeader.someBase64EncodedClaims. Notice that it accepts a token without a signature. By using the parseClaimsJws method instead, the signature is correctly verified.

dragonmantank commented 3 years ago

Thanks! Website will be updated shortly with this