lestrrat
commented
8 years ago As for the first point, good point. I don't think I was thinking about doing signature verification when I wrote this.
for the second point, perhaps it would be best to be allow the coder to specify what the default is. What is your say on this matter?
Just wondering if this logic: https://github.com/lestrrat/go-jwx/blob/76ff5fd46c773bcf15f019da4b5247780efec796/jws/jws.go#L184 is also supposed to deal with a JWK that has the use "sig"?
Also, the specification states that the "alg" parameter of a JWK can be optional. Azure AD's OpenID implementation does not send this. Their own library seems to use RSA256 by default if the kty is RSA. Do you believe it is safe to always fallback to one of the "recommended" algorithms defined by the specification when the "alg" parameter is blank?