Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
jjwt library not allow explicitly to specify hashing algorithm during token validation
See original GitHub issueIs there any way to specify the hashing algorithm while validating the token explicitly? OWASP cheatsheet suggests to specify it explicitly as best practices.
Jwts.parser().setSigningKey(key).parseClaimsJws(token);
I have tried to find a way but I haven’t found it. auth0 library https://github.com/auth0/java-jwt allow adding algorithm during token validation.
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Bountysource
jjwt library not allow explicitly to specify hashing algorithm during token validation.
Read more >JSON Web Token for Java - OWASP Cheat Sheet Series
First, use a JWT library that is not exposed to this vulnerability. Last, during token validation, explicitly request that the expected algorithm was...
Read more >JSON Web Token for Java · OWASP Cheat Sheet Series
First, use a JWT library that is not exposed to this vulnerability. Last, during token validation, explicitly request that the expected algorithm was...
Read more >Tutorial: Create and Verify JWTs in Java - Okta Developer
This article explores the benefits of token authentication with JWTs for Java apps.
Read more >Spring Security JWT Tutorial - Toptal
Using the latest version of OAuth for JWT support is recommended over the use of ... I want to explicitly define the terminology...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Closing for now - happy to re-open if you can demonstrate a case where JJWT doesn’t satisfy best practices already.
This is unnecessary with JJWT because the
Nonealgorithm - as well as using weaker or different signature verification keys - has always failed with JJWT signature verification since JJWT was first released. Auth0’s initial releases ofjava-jwtsuffered from this security flaw, which is why they had to add support for it. There’s no reason to add it to JJWT that I can tell. I’m happy to discuss further and even enhance the library if you can demonstrate a use case that JJWT cannot satisfy though!