Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Warning about possible security issue
See original GitHub issueHello,
As you all know, JWT provides different way to encode and decode a token. Some of those algorithm are asymmetric and others symmetric. The fact that you can have both of them working together create a breach if you can access the public_key.
I’d like to know what you think about the idea of having a warning, or not allowing it at all, to have both a symmetric and asymmetric algorithm in the jwt.decode function.
Here you can find an example of case where you might have a security issue with your JWT.
Exemple:
Actor 1:
- Request a JWT from the Auth server
- Contact App A with the JWT provided by Auth Server.
- App A will validate the JWT with the public key
Actor 2:
- Request a JWT from the Auth server
- Get the content and modify it
- generate a new JWT token signed with the public key and the algorithm “HS256”
- Contact the App A with the new JWT
- Because both Symmetric (HS256) and Asymmetric (RS256) are allowed together in App A, the new JWT is validated and accepted
Issue Analytics
- State:
- Created 4 years ago
- Comments:9
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
OK, I understand your point now. A public key argument does not make sense for HS*
I agree that the interface could be improved, see also https://github.com/jpadilla/pyjwt/issues/408#issuecomment-586696809
Making public a shared secret used for HS* is wrong.
Consequently, re-using a (published) public key for HS* is wrong.
Bluntly, I see no point in your scenario.