
JSON Web Token Validation Bypass in Auth0 Authentication API - mfincham
https://insomniasec.com/blog/auth0-jwt-validation-bypass
======
rvz
> The Authentication API prevented the use of alg: none with a case sensitive
> filter. This means that simply capitalising any letter e.g. alg: nonE,
> allowed tokens to be forged.

The option to have 'alg: none' should never be used as it is still the biggest
footgun in the JOSE specification. I'm not sure why on earth you need a case-
sensitive filter on this, but even giving the user a choice of ciphers to use
is a recipe for disaster. Thus JWT is still a cryptographically weak standard.

PASETO [0] or Branca [1] are cryptographically stronger alternatives to use
over JWT here.

[0] [https://paseto.io](https://paseto.io) [1]
[https://branca.io](https://branca.io)

