Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infer algorithm from header #254

Closed
JoeWoodward opened this issue Feb 21, 2018 · 2 comments
Closed

Infer algorithm from header #254

JoeWoodward opened this issue Feb 21, 2018 · 2 comments
Labels
discussion

Comments

@JoeWoodward
Copy link

Is there a reason to not infer the algorithm?

The information for which algorithm was used is in the header. Why not use that information instead of requiring the programmer defines it in the options hash
@ab320012
Copy link
Contributor

its a security concern to let client dictate algo without validating on server: check out the section: RSA or HMAC? and Recommendations for Library Developers https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/

@excpt
Copy link
Member

excpt commented Mar 22, 2018

@JoeWoodward Due to security concerns the algorithm is not fetched from the header of an incoming token for verification.

More on that topic in these PRs / issues:

Code changed in #184

Explained in more detail here #107, #226

@excpt excpt closed this as completed Jan 21, 2019
@anakinj anakinj mentioned this issue Oct 23, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@excpt @JoeWoodward @ab320012