Validate token algorithm in Parse/Verify functions. #1
Comments
|
Hi Jamie, We are working on it right now! We hope publish a workaround ASAP. Thank you! |
|
For the easy method, you just need to pick a single algorithm that you will use for your tokens, and then validate that inside the token.Verify method where you must return the key to use. I believe jwt-go has an example on their repo. |
|
Thanks Jamie, We have just commited a workaround to fix the vulnerability in JWT. We'll publish a new article in our blog to share and show our temporary workaround. We hope there will be a library update soon to remedy this. Thanks a lot Jamie. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Vulnerability that allows a user to generate a valid token is possible due to some behaviour between certain algorithms, if all are accepted it would allow a user to generate valid tokens with only the public key for RSA. You might not keep the same stringent set of security around your public key.
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
The text was updated successfully, but these errors were encountered: