Y
Hacker News
new
|
ask
|
show
|
jobs
by
abritinthebay
3126 days ago
That’s only true of JWT if you allow your server to
accept
all algorithms.
You don’t actually have to.
1 comments
rblatz
3126 days ago
Correct, your token authority should specify which algorithms are valid, and your clients should self configure via a secure back channel to only accept the algorithms your token authority issues.
link
abritinthebay
3124 days ago
Exactly! JWT is a much misunderstood system it seems. Though it doesn’t exactly help itself by being quite complex
link