Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The library does not check the situation if signature algorithm is defined but no signature is provided #2

Closed
dmak opened this issue Jan 30, 2018 · 2 comments
Closed

The library does not check the situation if signature algorithm is defined but no signature is provided #2

dmak opened this issue Jan 30, 2018 · 2 comments
Assignees
@robotdan

Comments

@dmak
Copy link

dmak commented Jan 30, 2018

Please doublecheck this is a valid issue. According to JWS §4.1.1 "alg" Header Parameter MUST be present and MUST be understood and processed by implementations.

In my opinion that means that if "alg" is not "none", then signature must be present and verified. Attached
JwtTest.java.txt demonstrates the problem.
robotdan pushed a commit that referenced this issue Jan 30, 2018
Fixes Issue #2, bug exists that allows a JWT to be decoded even when …
0d94dce 
…no signature is provided.
@robotdan
Copy link
Member

Hi @dmak ,

You are correct, this is not the intended behavior, I thought I had a test that covered this scenario. I added your test and resolved the issue.

Thanks for pointing this out.

@robotdan robotdan self-assigned this Jan 30, 2018
@robotdan
Copy link
Member

Resolved in version 1.3.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@robotdan robotdan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dmak @robotdan