|
|
|
|
|
|
by hdhzy
3261 days ago
|
|
|
> make sure "noop" is not allowed Security by blacklisting is a bad idea. You don't need to look far - it's JWT libraries that could be fooled into accepting public key as a symmetric key [0] so even if you fix the noop bug you are still vulnerable. That's what's wrong with JWT - you always have one more issue than you think. [0]: https://auth0.com/blog/critical-vulnerabilities-in-json-web-... |
|
|