search

compiledpanda / jwt

CLI to encode, decode, and validate JWTs
MIT License
1 stars 0 forks source link

Bug on alg validation #8

Open mterron opened 5 years ago

mterron commented 5 years ago

jwt fails to validate a token;

$ jwt decode $TOKEN
HEADER:
{
  "alg": "RS512",
  "kid": "TID01",
  "typ": "JWT"
}

PAYLOAD:
{
...
}
$ jwt validate $TOKEN
algorithm is invalid. Must be one of HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, EdDSA
$
compiledpanda commented 5 years ago

@mterron When you call validate you need to pass in the algorithm and secret.

jwt validate $TOKEN -a RS512 -s @/path/to/public/key
compiledpanda commented 5 years ago

I do see what you are referring to. It works as designed (-a and -s are required), but the design is bad. I'll open an issue to only validate the structure when no algorithm or secret is passed in.

mterron commented 5 years ago

Maybe the error message should be something like "Missing mandatory options -a and -s" or something along those lines. The error message is really confusing as the algorithm used is one of the ones that jwt says it should be used. Thanks!