Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsecured JWT #253

Open
felschr opened this issue Apr 6, 2023 · 4 comments
Open

Unsecured JWT #253

felschr opened this issue Apr 6, 2023 · 4 comments
Labels
enhancement help wanted

Comments

@felschr
Copy link

felschr commented Apr 6, 2023

Summary

RFC 7519 section 6.1 specifies Unsecured JWTs with algorithm none:
https://www.rfc-editor.org/rfc/rfc7519#section-6

Steps to reproduce

Try encoding using algorithm none:

> jwt encode --alg=none '{"role": "my-role"}'
error: The following required arguments were not provided:
    --secret <SECRET>

USAGE:
    jwt encode --secret <SECRET> --alg <ALGORITHM> <JSON>

For more information try --help

And decoding using the JWT from the section 6.1 of the spec.

> jwt decode 'eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.'
The JWT provided is invalid because Error(Json(Error("unknown variant `none`, expected one of `HS256`, `HS384`, `HS512`, `ES256`, `ES384`, `RS256`, `RS384`, `RS512`, `PS256`, `PS384`, `PS512`", line: 1, column: 13)))

Expected behavior

The command jwt encode --alg=none should create a valid unsecured JWT and jwt decode should be able to parse unsecured JWTs.

Instead of jwt encode --alg=none the CLI could also expose this functionality via jwt encode --unsecured to make the security implications more obvious.
Additionally, jwt decode could also require an --unsecured argument and throw a validation error if not provided when decoding an unsecured JWT.
@mike-engel
Copy link
Owner

At the moment, this isn't possible until jsonwebtoken accepts None as an algorithm

@notrobpike
Copy link

notrobpike commented Aug 28, 2023
edited
Loading

Considering jsonwebtoken has that issue as a closed:wontfix, and they give an easy solution, I don't see how that's a blocker.

For alg none, it's a simple base64 decode. Since jsonwebtoken has a use case where they believe encode/decode of none is a footgun, this cli tool should just implement it "natively". For the use case of this tool, needing to run a separate tool (base64 -d for example) depending on the alg, is quite annoying.

So, what I mean is, jwt-cli could either do a plain decode (validate exp if you want), or this issue should be closed outright. But I think the blocked status is a falsehood and that shouldn't be the case here. I would prefer the former solution!

thanks

@mike-engel
Copy link
Owner

Thanks, @notrobpike. I'm not sure how much time I'll have to work on this, so if anyone would like to submit a PR, I'd be happy to review it.

@notrobpike
Copy link

thanks. if i were familiar with rust I'd work up a PR. hopefully someone out there is motivated.

@mike-engel mike-engel mentioned this issue Aug 21, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mike-engel @felschr @notrobpike