Closed lionello closed 7 years ago
This is a critical vulnerability that needs to be addressed, as per notes on https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
TL;DR: do not silently accept "alg":"none" JWTs, since it's easy for callers to strip off the signature.
"alg":"none"
This is a critical vulnerability that needs to be addressed, as per notes on https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
TL;DR: do not silently accept
"alg":"none"
JWTs, since it's easy for callers to strip off the signature.