Hi Maciej, Apps must not accept arbitrary JWTs, neither let the JWT header alone drive the JWT validation process.
A good app contract will specify which algs and header parameters are accepted, and discard all JWTs that don't match these rules, before passing the JWTs for validation to the library. On 03/10/16 18:46, Maciej Kwidzinski wrote: > Hi, > > Tim McLean describes an attack vector on JWT-protected services in his > blog post: > https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ > > The culprit is relying on the algorithm in the JWT header. The > workaround/recommendation is to ignore the algorithm from the header > and use a predefined one. > > The current RFC 7519 does not address this vulnerability. > Will this problem be addressed in the standard? > > Best regards, > Maciej KwidziĆski > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
