| ▲ | robertlagrant 6 hours ago | |||||||
> While common JWT libraries have now mostly got their stuff together, this has not always been the case. There were plenty of libraries accepting the "none" algorithm [1] or allowing attackers to forge tokens by using a public key as a shared secret [2]. This is the direct result of the complexity criticized in the linked blog post. I'm a bit surprised at this. These are extremely simple to solve - the first time I ever did a JWT-reading implementation I specified the right defaults, which are very simple, even for a mid-level backend person I would say, and they haven't needed changing in 8 years or whatever it's been. It really isn't very complex. | ||||||||
| ▲ | agwa 6 hours ago | parent [-] | |||||||
You would think so, but even an authentication company screwed it up: https://cybercx.co.nz/blog/json-web-token-validation-bypass-... | ||||||||
| ||||||||