Y
Hacker News
new
|
ask
|
show
|
jobs
by
rblatz
3126 days ago
Correct, your token authority should specify which algorithms are valid, and your clients should self configure via a secure back channel to only accept the algorithms your token authority issues.
1 comments
abritinthebay
3124 days ago
Exactly! JWT is a much misunderstood system it seems. Though it doesn’t exactly help itself by being quite complex
link