Skip to content

Allow none algorithm in jwt command #121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 10, 2021
Merged

Allow none algorithm in jwt command #121

merged 1 commit into from
Nov 10, 2021

Conversation

@AlexanderYastrebov
Copy link
Contributor

@AlexanderYastrebov AlexanderYastrebov commented Nov 6, 2021
edited
Loading

Usage:

$ echo '{"foo":"bar"}' | ./jwt -alg none -sign - | ./jwt -alg none -verify -

I know that none method should not be used in real applications but I think jwt as a tool should support it.

Signed-off-by: Alexander Yastrebov yastrebov.alex@gmail.com

@AlexanderYastrebov
Allow none algorithm in jwt command
0c2111d 
Usage:
```
$ echo '{"foo":"bar"}' | ./jwt -alg none -sign - | ./jwt -alg none -verify -
```

Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
@AlexanderYastrebov
Copy link
Contributor Author

AlexanderYastrebov commented Nov 6, 2021
edited
Loading

@oxisto jwt is a versatile tool that could be used to show, sign and verify tokens. It could be used outside of the go ecosystem, e.g. by security researchers. I think none algorithm should be supported for completeness. I have also updated PR to not require -key flag.

@oxisto
Copy link
Collaborator

oxisto commented Nov 6, 2021

@oxisto jwt is a versatile tool that could be used to show, sign and verify tokens. It could be used outside of the go ecosystem, e.g. by security researchers. I think none algorithm should be supported for completeness. I have also updated PR to not require -key flag.

Good points. Fair enough :)

@oxisto
Copy link
Collaborator

oxisto commented Nov 7, 2021

Could we print out some warning on stderr if none is used? Or would that break the functionality of the tool?

@AlexanderYastrebov
Copy link
Contributor Author

AlexanderYastrebov commented Nov 7, 2021

Could we print out some warning on stderr

I can add the warning but I do not think it is necessary. none is not the default - user has to explicitly choose it. The tool also does not print warnings e.g. if HS256 key is empty or short.

@oxisto oxisto merged commit 1275a5b into golang-jwt:main Nov 10, 2021
@AlexanderYastrebov AlexanderYastrebov deleted the cmd-allow-none branch November 10, 2021 09:25
oxisto pushed a commit to moneszarrugh/jwt that referenced this pull request Feb 21, 2023
@AlexanderYastrebov @oxisto
Allow none algorithm in jwt command (golang-jwt#121)
9bf1412
oxisto pushed a commit to twocs/jwt that referenced this pull request Mar 29, 2023
@AlexanderYastrebov @oxisto
Allow none algorithm in jwt command (golang-jwt#121)
d2c1236
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mfridman mfridman mfridman approved these changes

@oxisto oxisto oxisto approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AlexanderYastrebov @oxisto @mfridman