Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow none algorithm in jwt command #121

Merged
merged 1 commit into from
Nov 10, 2021

Conversation

AlexanderYastrebov
Copy link
Contributor

@AlexanderYastrebov AlexanderYastrebov commented Nov 6, 2021

Usage:

$ echo '{"foo":"bar"}' | ./jwt -alg none -sign - | ./jwt -alg none -verify -

I know that none method should not be used in real applications but I think jwt as a tool should support it.

Signed-off-by: Alexander Yastrebov yastrebov.alex@gmail.com

Usage:
```
$ echo '{"foo":"bar"}' | ./jwt -alg none -sign - | ./jwt -alg none -verify -
```

Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
@AlexanderYastrebov
Copy link
Contributor Author

AlexanderYastrebov commented Nov 6, 2021

@oxisto jwt is a versatile tool that could be used to show, sign and verify tokens. It could be used outside of the go ecosystem, e.g. by security researchers. I think none algorithm should be supported for completeness. I have also updated PR to not require -key flag.

@oxisto
Copy link
Collaborator

oxisto commented Nov 6, 2021

@oxisto jwt is a versatile tool that could be used to show, sign and verify tokens. It could be used outside of the go ecosystem, e.g. by security researchers. I think none algorithm should be supported for completeness. I have also updated PR to not require -key flag.

Good points. Fair enough :)

@oxisto
Copy link
Collaborator

oxisto commented Nov 7, 2021

Could we print out some warning on stderr if none is used? Or would that break the functionality of the tool?

@AlexanderYastrebov
Copy link
Contributor Author

Could we print out some warning on stderr

I can add the warning but I do not think it is necessary. none is not the default - user has to explicitly choose it. The tool also does not print warnings e.g. if HS256 key is empty or short.

@oxisto oxisto merged commit 1275a5b into golang-jwt:main Nov 10, 2021
@AlexanderYastrebov AlexanderYastrebov deleted the cmd-allow-none branch November 10, 2021 09:25
oxisto pushed a commit to moneszarrugh/jwt that referenced this pull request Feb 21, 2023
oxisto pushed a commit to twocs/jwt that referenced this pull request Mar 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants