Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make specifying "algorithm" optional on decode #380

Closed
dlavrenuek opened this issue Oct 22, 2020 · 2 comments
Closed

Make specifying "algorithm" optional on decode #380

dlavrenuek opened this issue Oct 22, 2020 · 2 comments

Comments

@dlavrenuek
Copy link

@dlavrenuek dlavrenuek commented Oct 22, 2020

When decoding a signed JWT token the algorithm and algorithms options should be made optional. The algorithm is already present in the JWT header, which makes setting it manually redundant. Furthermore the signing method used by a OAuth2.0/OpenID provider might be unknown to the user, which makes implementing token validation with ruby-jwt very difficult.

Current behavior:

  • algorithm or algorithms option is required when decoding a signed token

Desired behavior:

  • algorithm should be set automatically from alg in JWT header

For that purpose the method allowed algorithms can be changed to automatically add the algorithm from JWT to allowed ones: https://github.com/jwt/ruby-jwt/blob/master/lib/jwt/decode.rb#L49

@anakinj
Copy link
Member

@anakinj anakinj commented Oct 23, 2020

There is a reasoning behind having the algorithm required when encoding a token. Latest discussion about that is probably found in #254

It would be convenient, but it also opens up for potential misuse.

@dlavrenuek
Copy link
Author

@dlavrenuek dlavrenuek commented Oct 23, 2020

@anakinj thanks for providing the information

@dlavrenuek dlavrenuek closed this Oct 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants