You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
unsign requires you to know the alg before unsigning a JWS, however if you publish keys with different algorithms or you are not in control of the signing of a JWS you might not know the algorithm.
It should use the alg field from the JOSE header and only default to :hs256 if it is not present in opts or the header.
Our use case doesnt have that choice, we need to unsign a JWS that is signed by a third party who provide a JWKS per customer and whose algorithm selection is out of our control.
This isnt used for authn/authz but for some reason the third party spec defines that a claim inside a JWS (this is signed by our alg/key) is also encrypted as a JWS and we need validate and perform analysis on it.
unsign requires you to know the alg before unsigning a JWS, however if you publish keys with different algorithms or you are not in control of the signing of a JWS you might not know the algorithm.
It should use the alg field from the JOSE header and only default to :hs256 if it is not present in opts or the header.
https://tools.ietf.org/html/rfc7515#section-4.1.1
The text was updated successfully, but these errors were encountered: