Skip to content

Unable to parse claims without key #923

Closed Answered by bdemers
RagguRavi asked this question in Q&A
Discussion options

You must be logged in to vote

This question comes up from time to time.
From a security perspective this is bad idea and violates the RFC, the first line of the JWS RFC:

JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures

The RFC also goes on to say this about the alg header param (section 4.1.1):

This Header Parameter MUST be present and MUST be understood and processed by implementations.

Ignoring the alg header or processing it differently would not aline with these statements.


That said I'd still like to understand your use case. Why do you want to parse the token if you cannot be assured the content is valid?

Have…

Replies: 1 comment

Comment options

You must be logged in to vote
0 replies
Answer selected by RagguRavi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
2 participants