|
|
|
|
|
|
by mrighele
3325 days ago
|
|
|
From a cursory read from the specs [1] I can see the following (Chapter 7.2): > Finally, note that it is an application decision which algorithms may > be used in a given context. Even if a JWT can be successfully > validated, unless the algorithms used in the JWT are acceptable to > the application, it SHOULD reject the JWT. From what I understand from the above, the server side can decide to _always_ reject the "none" algorithm and still qualify as a valid implementation. The fact that the "none" algorithm is implemented or not by the library becomes a detail. [1] https://tools.ietf.org/html/rfc7519 |
|
|