Possibility to force signature algorithm on parse #47
Comments
|
You can always use a |
|
But will that get called if there is no Signature? When Algorithm is NONE? |
|
That will be called after the token is parsed, but before its signature (and also expiration I believe) is validated, so you can already determine if the algorithm is You can find more about it here. |
|
Reading |
|
I think i found the solution here: https://stormpath.com/blog/jwt-java-create-verify/ Looks like we can use |
|
+1 I feel the parser should enforce a signature by default if a key is provided. |
|
This is documented in the Readme:
Is this issue resolved, then, by just improving the documentation? |
|
First, great work and thank you for writing this. Second, now that I go back and look at the readme again, it is clear that you purposefully used parseClaimsJws in the first example: assert Jwts.parser().setSigningKey(key).parseClaimsJws(s).getBody().getSubject().equals("Joe");My eyes somehow skipped right over that though, and went to this: try {
Jwts.parser().setSigningKey(key).parse(compactJwt);
//OK, we can trust this JWT
} catch (SignatureException e) {
//don't trust the JWT!
}So maybe just change that second example to also use parseClaimsJws? It could just be me, but I can't understand why "algo: none" even exists. Seems like it is just asking for trouble. Thanks again! |
|
Thanks for the feedback! This would definitely clean up the docs to reflect the most common use case - I think that'd be helpful. And yeah, NONE is asking for trouble, but we support it because it is in the JWT spec - we're kind of required to support it. |
|
I just updated the Readme in Master - hopefully that helps! |
|
Yes, @louoso explained it perfectly, that second example got me too! Maybe even go further highlighting in the README that Algo NONE is just dangerous. The library (especially being in the "crypto" sector) should make it easy for people to just do the right thing. Obviously the full standard should be supported. Maybe using Algo NONE or JWT (vs. JWS) could be enabled with a Config Option first, else |
|
I definitely agree about 'doing the right thing' automatically - it's a tactic we take in Apache Shiro (another project I work on), and it's a big reason why Shiro is so nice to use. I'll leave this issue open as a marker to clean up the documentation and maybe even make API changes as necessary to make this more obvious. Suggestions welcome! |
|
Maybe the new |
|
After reading this article https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ i believe that the parseClaimsJws() method should take a signature algorithm as a second argument (or provide an overloaded method which allows this). |
|
Ah, i see, you protect against it as long as you use a Key based type because they are strongly typed in java. cool. |
|
Indeed :) |
Is it possible to force the signature algorithm on parse? Meaning that the jwt is only considered valid if it is signed with a particular algorithm?
If not, is it possible to disallow the NONE algorithm or otherwise check the algorithm and make sure that the jwt is signed on parse?
The text was updated successfully, but these errors were encountered: