Token validation related security updates in previous versions

[snekbaev]

Hi,

just discovered: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries and wanted to ask in which version this has been addressed, I'm using .NET 4.6.1 with System.IdentityModel.Tokens.Jwt and can't upgrade it to 5.x because is it not compatible, thus, I'm stuck with 4.0.3.308261200.

And question is: am I safe? :)

Thank you!

[brentschmaltz]

@snekbaev By default we require signed tokens and do not allow 'none'.
So you are fine with 4.x or 5.x.

What issues are you having with 5.x compatibility?

[snekbaev]

@brentschmaltz if I remember correctly it was
http://stackoverflow.com/questions/38119877/tokenvalidationparameters-no-longer-working-after-upgrade-to-5-0-0 and #466

Basically I'm using Katana with WebAPI 2 and apparently some crucial type was moved to a different namespace in v5 thus it doesn't work :)

[brentschmaltz]

@snekbaev yes, 5.x does not work with Katana. Currently we are committed to supporting 4.x and 5.x. I was just wondering if it related to Katana or some other issue.

[snekbaev]

@brentschmaltz well, wherever the issue is, one thing for sure is that it will make a lot of people happy not to have that dependency hanging in the nuget's updates with a note in a readme file saying "DO NOT UPDATE!" :)))

[brentschmaltz]

@snekbaev @brockallen and others, we are aware of that this is causing headaches, we are investigating a fix. Hopefully it will show up soon.

[brentschmaltz]

Issue is resolved pertaining to security risk. Back-compat is a separate issue.