Validating token without the need of an Algorithm
BigBallard opened this issue · comments
At this time it does not seem that I can use the JWTVerifier
to validate a token without requiring an Algorithm
to do so. This seems odd since we can decode the token's without an Algorithm and we would essentially be having to implement that logic ourselves with the JWTVerifier
interface with the same logic as the impl provided. But is this really what we would have to do to have a verifier that does not require an algorithm?
@DallasP9124 verifying a JWT without an algorithm is not recommended as they could be tampered with. For this reason, we have made Algorithm mandatory for verification.
One provision we have but do not recommend is Algorithm.none()
since this is also an insecure way of verifying a JWT. So at this point, we would recommend to have the public key in your application to verify the JWT.
Hope this answers your question. We will close this issue for now but feel free to reopen it if you have more doubts.