

What I don't like about JSON Web Tokens - timmclean
https://www.timmclean.net/2015/02/25/jwt-alg-none.html

======
zaroth
If there are libraries that silently accept an unsigned JWT with alg:none,
even when they are provided a secret key to verify, that's a serious CVE right
there...

If a secret or public key is passed to the verify function, the function MUST
fail if no signature is actually present in the token. E.g. on node-jwt; [1]

    
    
      if (parts[2].trim() === '' && secretOrPublicKey){
        return done(new JsonWebTokenError('jwt signature is required'));
      }
    

As another example, in the C# library, as long as 'RequireSignedTokens' is
true, it will ensure the signature can't be stripped. [2] I'd say that's poor
design to allow specifying a key and then ignoring it silently if
'RequireSignedTokens' is false, even if it is true by default, because the
combination of 'RequireSignedTokens' = false, and a non-null key, is invalid.

[1] - [https://github.com/auth0/node-
jsonwebtoken/blob/master/index...](https://github.com/auth0/node-
jsonwebtoken/blob/master/index.js#L85)

[2] - [https://github.com/AzureAD/azure-activedirectory-
identitymod...](https://github.com/AzureAD/azure-activedirectory-
identitymodel-extensions-for-
dotnet/blob/master/src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs#L910)

~~~
timmclean
Agreed. Unfortunately, some implementations missed that:

[https://github.com/namshi/jose/commit/127b4415e66d89b1fcfb5a...](https://github.com/namshi/jose/commit/127b4415e66d89b1fcfb5a07933db0b5ff5cd636)

[https://github.com/davedoesdev/python-
jwt/commit/5ddb71b2ed5...](https://github.com/davedoesdev/python-
jwt/commit/5ddb71b2ed5785c329b761e45a246996a1dd9cab)

~~~
davedoesdev
Thanks for spotting this Tim, I appreciate it. I've patched python-jwt and
linked to your article. Please let me know if you file a CVE so I can link to
it too.

The docs did say:

    
    
      returns: ``(header, claims)`` if the token was verified successfully. The token must pass the following tests:
      - Its signature must verify using the public key or its algorithm must be ``none``.
    

but passing the responsibility for checking header['alg'] to the caller was
the wrong way round so thanks again!

