Automatically lookup digital signature algorithm from JWT header

[mcandre]

The current API appears to require the user to query the JWT header, then lookup the algorithm based on the name, and finally pass this function reference to Validate().

Could jose do this automatically? This would reduce the risk of mistakes. For example, some users might hardcode the RS256 algorithm, whereas real tokens may use a different algorithm.

[Brcrwilliams]

Please do not do this. It's a serious security vulnerability. "none" is a valid algorithm, so if you trust the header for algorithm selection, someone can give you a perfectly valid token with no signature on it at all.

Further reading here: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/

Allowing the client (or an attacker) to select the algorithm is generally a bad idea. You should hard-code the algorithm.

[mcandre]

Lol why is none a valid option?

[Brcrwilliams]

🤷‍♂ It's in the spec.