Closed domenkozar closed 4 years ago
Thanks for the report @domenkozar.
It's a deliberate decision of the library not to provide access to unverified data. Of course, you can always decode it yourself. It's extra work, but it should be; libraries should not make it easy for people to take shortcuts with security.
Security has a threat model. In our case we know JWT is generated securely so there's no need to verify it.
But the client (who doesn't have private key to verify) uses information from JWT.
OK, well the client can decode the unverified JWT and read it themselves. Some of the instances available in the library may help with that (e.g. there is instance FromJSON ClaimsSet
). But the shortcut you desire, it violates security principals of this library and will not be implemented.
Sometimes it's useful to just extract JSON out of JWT when you don't have private key to verify.
Currently all JWT constructions are hidden, so it makes it hard.