tplooker
commented
4 years ago Agreed this is related to #5 we have decided to remove this
Closed kdenhartog closed 4 years ago
tplooker
commented
4 years ago Agreed this is related to #5 we have decided to remove this
Right now we're requiring support for "none" alg type. I'd ideally like to avoid this if possible, but I'm uncertain if we can because we're requiring the use of JWE/JWS which require support for it.
If we do need to support it, I'd like to be able to provide clarifying text about how it should be used and implemented to prevent another vulnerability:
https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/