Skip to content

Unable to parse claims without key #923

Closed Answered by bdemers
ravi-prajapati-1995 asked this question in Q&A
Discussion options

You must be logged in to vote

This question comes up from time to time.
From a security perspective this is bad idea and violates the RFC, the first line of the JWS RFC:

JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures

The RFC also goes on to say this about the alg header param (section 4.1.1):

This Header Parameter MUST be present and MUST be understood and processed by implementations.

Ignoring the alg header or processing it differently would not aline with these statements.


That said I'd still like to understand your use case. Why do you want to parse the token if you cannot be assured the content is valid?

Have…

Replies: 3 comments 10 replies

Comment options

You must be logged in to vote
0 replies
Answer selected by ravi-prajapati-1995
Comment options

You must be logged in to vote
3 replies
@lhazlewood
Comment options

@claudevervoort
Comment options

@lhazlewood
Comment options

Comment options

You must be logged in to vote
7 replies
@bdemers
Comment options

@claudevervoort
Comment options

@bdemers
Comment options

@claudevervoort
Comment options

@lhazlewood
Comment options

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
4 participants