Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT-specific minutae: the dreaded alg:none option #145

Closed
Tracked by #132
bumblefudge opened this issue Jan 20, 2023 · 4 comments
Closed
Tracked by #132

JWT-specific minutae: the dreaded alg:none option #145

bumblefudge opened this issue Jan 20, 2023 · 4 comments
Assignees
@expede
Milestone
📋 v0.10

Comments

@bumblefudge
Copy link

I see that alg is a required header field, but no constraint on the value of that prop. Are un-encrypted JWTs allowed? I often hear of alg:none referred to as a category of security exploits, so if you're ASSUMING encrypted JWTs probably best to explicitly ban unencrypted ones before all kinds of attack vectors creep in that open door :D
@matheus23
Copy link
Member

It's kind of implicit, but no, alg:none is not allowed. We could/should clarify this I think.

The first sentence in the JWT structure section mentions the format of "header, payload and signature". We could consider adding a subsection "3.3 Signature".

We could also consider adding a subsection to "6. Validation", talking about the requirement for signature verification.

FWIW, as far as I know all UCAN implementations today require a signature to be present and allow only a small subset of alg.

@gobengo
Copy link
Contributor

gobengo commented Feb 9, 2023

Are un-encrypted JWTs allowed?

I think you mean unsigned?

But yes +1 to adding normative language explicitly saying at least

alg MUST not be none

@expede expede mentioned this issue Mar 20, 2023
Merged
15 tasks
@expede expede self-assigned this Mar 20, 2023
@expede expede added this to the 📋 v0.10 milestone Mar 20, 2023
@expede
Copy link
Member

expede commented Mar 20, 2023

Added to 0.10!

@expede
Copy link
Member

expede commented Jul 12, 2023

Closed by #132

@expede expede closed this as completed Jul 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@expede expede

Labels
None yet
Projects
None yet
Milestone
📋 v0.10
Development

No branches or pull requests
4 participants
@gobengo @expede @matheus23 @bumblefudge