New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[policy][jwt] do not accept JWT token with empty signature #1417

Closed
tcompiegne opened this Issue Aug 2, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@tcompiegne
Member

tcompiegne commented Aug 2, 2018

Currently if we have an JWT token with an empty signature, for example :

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.

The APIM Gateway will let the consumer call pass. We MUST enforce the Policy JWT to check if the incoming JWT contains the signature part.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment